FusionAuth / Fastify

mark 0

Does anyone have their (node) api service protected by FusionAuth using fastify? I have a simple POC that works with auth0 and the api is protected fairly easily with the below code:

// get variables from environment / enable auth0
fastify.register(require('fastify-auth0-verify'), {
  domain: process.env.AUTH0_DOMAIN,
  secret: process.env.AUTH0_SECRET
});
// Actually turns on auth0
fastify.addHook("onRequest", async (request, reply) => {
  try {
    await request.jwtVerify()
  } catch (err) {
    reply.send(err)
  }
});

With the above code I can fairly easily grab the bearer token and pass that into curl (curl -H "Authorization: Bearer ${TOKEN}" ${SRV}/apiV1/users) for both production/testing purposes. If the bearer token is not valid it fails at the request level.

We're not that far along that I couldn't recode this into express to test the differences between the systems, but as it's working with fastify...

dan

@mark-0

I have not done this, but from looking at the Fastify JWT library, it looks pretty straight forward:

https://github.com/fastify/fastify-jwt#options

Since there's no Fastify FusionAuth integration, you need to pass the public and private key if you want to verify and sign the JWTs, respectively. Since FusionAuth is creating the JWT, in theory you could just pass the public key of an RSA keypair, since you'll never need to sign the JWT (haven't tested that though).

To add the keys to FusionAuth, you'll want to use Keymaster: https://fusionauth.io/docs/v1/tech/core-concepts/key-master

Hope that helps.