How this service handles authentication.
Full flows: docs/architecture/auth-flows.md
Tokens This Service Accepts
| Token type | Where validated | Guard / middleware |
|---|
| User JWT | hbf-core /users/me | HBFGuard |
| Service JWT | Local validation, checks for HBF_SERVICE role | JWTGuard |
Tokens This Service Sends
| Calling | Token used | How attached |
|---|
| hbf-core | User JWT (forwarded) | Authorization: Bearer <token> header |
Tokens This Service Issues
None.
Roles / Scopes Enforced
| Endpoint pattern | Required role |
|---|
| Service-to-service endpoints | HBF_SERVICE (ValidRoles.HBF_SERVICE) |
| Org-scoped endpoints | Org member role (via MemberOrgRoleGuard) |
Auth Notes
- JWTGuard specifically checks for the
HBF_SERVICE role (ValidRoles.HBF_SERVICE), enabling service-to-service authentication distinct from user authentication.
- HBFGuard delegates token validation to hbf-core by calling
/users/me. The request is authenticated only if hbf-core confirms the token.
- MemberOrgRoleGuard enforces that the caller has an active membership in the target organization.
- Config:
CORE_URL points to the hbf-core instance used for token validation.