How this service handles authentication.
Full flows: docs/architecture/auth-flows.md
Tokens This Service Accepts
| Token type | Where validated | Guard / middleware |
|---|
| User JWT | Remote validation via hbf-core /users/me (also fetches user groups) | HBFGuard |
| Local JWT | Local verification; validates sub claim matches JWT_SUB env var | JWTGuard |
Tokens This Service Sends
| Calling | Token used | How attached |
|---|
| hbf-core | HBF_CORE_API_TOKEN env var | Bearer header |
Tokens This Service Issues
None.
Roles / Scopes Enforced
| Endpoint pattern | Required role |
|---|
| Org-admin endpoints | ROLE_GROUP_ORG_ADMIN (via AdminOrgRoleGuard) |
| Any org-role endpoints | Any org role (via AnyOrgRoleGuard) |
| Moderator-only endpoints | isModerator |
| Group-restricted endpoints | Group membership (via UserGroupGuard) |
Auth Notes
- JWTGuard validates that the JWT
sub claim matches the JWT_SUB env var. This is used for API client identification (service-to-service calls).
- HBFGuard calls hbf-core
/users/me and also fetches user groups for group-based authorization.
- UserGroupGuard enables group-based authorization on top of standard role checks.
- Some endpoints are marked as "HBF-BOT ONLY" usage, meaning they are intended to be called exclusively by hbf-bot using the local JWT.
- Env config:
HBF_CORE_URL (hbf-core base URL), HBF_CORE_API_TOKEN (service token for hbf-core calls), JWT_SUB (expected sub claim value for local JWT validation).