auth/bearer_auth.ts

Bearer auth middleware for API token authentication.

Bearer tokens are rejected when Origin or Referer headers are present — browsers must use cookie auth. This reduces attack surface: a stolen token cannot be replayed from a browser context (the browser adds Origin automatically).

Token generation and hashing utilities live in auth/api_token.ts.

Declarations
#

view source

create_bearer_auth_middleware
#

auth/bearer_auth.ts view source

(deps: QueryDeps, ip_rate_limiter: RateLimiter | null, log: Logger): MiddlewareHandler

Create middleware that authenticates via bearer token.

Rejects bearer tokens when an Origin or Referer header is present — browsers must use cookie auth to reduce attack surface. Auth scheme matching is case-insensitive per RFC 7235. On success, builds the request context ({ account, actor, permits }) and sets it on the Hono context. Skips if a request context is already set (e.g. by session middleware).

deps

query dependencies (pool-level db for middleware)

type QueryDeps

ip_rate_limiter

per-IP rate limiter for bearer token attempts (null to disable)

type RateLimiter | null

log

the logger instance

type Logger

returns

MiddlewareHandler

Depends on
#

Imported by
#