Auth: hbf-client-integrations
How this service handles authentication. Full flows:
docs/architecture/auth-flows.md
Tokens This Service Accepts
| Token type | Where validated | Guard / middleware |
|---|---|---|
| User JWT | hbf-core /users/me | HBFGuard |
| JWT (structure only) | Local validation, verifies JWT structure without role checking | HBFTokenGuard |
| HTTP Basic Auth | Local validation, per-endpoint credentials from env vars | BasicAuthGuard |
Tokens This Service Sends
| Calling | Token used | How attached |
|---|---|---|
| hbf-core | CORE_TOKEN | Authorization: Bearer <CORE_TOKEN> header |
| External services (Dynamics 365, Zendesk, Genesys, Infobip, etc.) | Service-specific credentials | Varies per integration |
Tokens This Service Issues
None.
Roles / Scopes Enforced
| Endpoint pattern | Required role |
|---|---|
| Org-scoped endpoints | Org member role (via OrgMemberGuard) |
| Basic auth endpoints | Valid credentials matching env var pair |
Auth Notes
- Unique among services in supporting both Bearer token and HTTP Basic Auth on different endpoints.
- Custom decorators allow per-endpoint basic auth configuration:
@UseBasicAuth(usernameEnvKey, passwordEnvKey, realm)for generic basic auth.@UseNovibetReportBasicAuth()as a convenience wrapper.
- HBFTokenGuard is simpler than HBFGuard. It verifies JWT structure only, without checking roles or calling hbf-core.
- 12 distributor modules exist, each with its own auth pattern for external service integration.
- Config:
CORE_URL,CORE_TOKEN, plus per-endpoint basic auth credentials (e.g.,NOVIBET_REPORT_USERNAME,NOVIBET_REPORT_PASSWORD).