Authentication
UCW includes a built-in authentication system that can be enabled via environment variables.
When AUTHENTICATION_ENABLE=true and the required variables are configured, all express endpoints defined after the useAuthentication call will require a Bearer token and optional scopes. This requires an external authorization system like Auth0.
If you need more control over authentication, you can fork the repository.
Token Endpoint
The /api/token endpoint provides a one-time-use token to pass into the src of your iframe. When used, the server sets an authorization cookie that the widget UI passes to the server for all requests.
See the authentication variables for configuration options.
Disabled Endpoints
By default, these endpoints are disabled:
- UCW Data endpoints & VC endpoints that retrieve data from aggregators
- The Delete User endpoint associated with connections
Enable UCW Data Endpoints
We recommend using our data endpoints to get data back from the aggregators in a standardized format.
A user must not have direct access to these endpoints because these endpoints have access to every other user's data.
You should create an endpoint that calls these endpoints using machine-to-machine authentication after ensuring that it only retrieves data the user should have access to.
To authenticate these endpoints, you'll need to set up the data endpoint variables in apps/server/env/(staging|production).env.
Delete User Endpoint
There is an endpoint for deleting a user associated with a connection. Just as with the data endpoints, mentioned above, the delete user endpoint is turned off by default. This endpoint should be well-protected. This should be machine-to-machine authenticated, and should have a layer of authentication around it that ensure that it is called with user ids that the user should have access to.
For more info, see the Delete user endpoint variables.