Portico Auth Server (Shelf)
Shelf-based handlers and middleware for building secure authentication servers in Dart. This package simplifies the integration of the Portico Auth ecosystem into your existing Shelf-based backend.
Features
- Standard Handlers: Ready-to-use handlers for login, registration, logout, and token refresh.
- Stateless Authorization: Middleware that can automatically validates JWT Access Tokens and populates the request context.
- Granular RBAC: Helpers for enforcing Role-Based Access Control, including support for scoped permissions.
- Exception Mapping: Automatically translates authentication and authorization errors into appropriate HTTP responses (401, 403, etc.).
Getting started
Add this package to your pubspec.yaml:
dependencies:
portico_auth_server_shelf: ^1.0.0
Interactive Web Simulator
Experience the full capabilities of the Portico Auth ecosystem without setting up a backend. The Web Simulator runs the entire stack (Client, Server, and Storage) directly in your browser.
Usage
1. Initialization
Combine the various Portico Auth components into a single AuthShelf instance.
import 'package:portico_auth_server_shelf/portico_auth_server_shelf.dart';
import 'package:portico_auth_tokens/portico_auth_tokens.dart';
import 'package:portico_auth_credentials/portico_auth_credentials.dart';
final authServer = AuthShelf(
tokenManager, // from portico_auth_tokens
credentials: credentials, // from portico_auth_credentials
roleManager: roleManager, // from portico_auth_roles
);
2. Configure the Pipeline
Use the provided middleware to secure your routes. The exceptionRequestHandler should be placed early in the pipeline to catch authorization errors.
final handler = Pipeline()
.addMiddleware(authServer.exceptionRequestHandler) // Map errors to 401/403
.addMiddleware(authServer.middleware) // Validate JWTs
.addHandler(router.call);
3. Register Authentication Endpoints
Mount the standard handlers for common authentication tasks.
final router = Router();
router.post('/register', authServer.register);
router.post('/login', authServer.login);
router.post('/logout', authServer.logout);
router.post('/refresh', authServer.refresh);
4. Protect Routes with RBAC
Enforce roles directly within your handlers. This supports both global roles and those scoped to specific resources (like a project ID from the path).
router.get('/projects/<id>/settings', (Request request, String id) {
// Throws ForbiddenException if the user lacks the 'admin' role for this 'id'
authServer.requiredRole(request, 'admin', scope: id);
return Response.ok('Settings for project $id');
});
Examples
- Full Shelf Server Example: A complete, runnable server demonstrating registration, login, protected routes, and RBAC.
Libraries
- portico_auth_server_shelf
- An example implementation of using
AuthTokensManagerwith Shelf handlers.