Skip to content

Node Library Reference

Installation

$ npm install --save @propelauth/node
$ yarn add @propelauth/node

Initialize

initBaseAuth performs a one-time initialization of the library. It will verify your apiKey is correct and fetch the metadata needed to verify access tokens in validateAccessTokenAndGetUser and validateAccessTokenAndGetUserWithOrgInfo.

const propelAuth = require("@propelauth/node");
const {
    validateAccessTokenAndGetUser,
    validateAccessTokenAndGetUserWithOrgInfo,
    fetchUserMetadataByUserId,
    fetchUserMetadataByEmail,
    fetchUserMetadataByUsername,
    fetchBatchUserMetadataByUserIds,
    fetchBatchUserMetadataByEmails,
    fetchBatchUserMetadataByUsernames,
    fetchOrg,
    fetchOrgByQuery,
    fetchUsersByQuery,
    fetchUsersInOrg,
    createUser,
    updateUserMetadata,
    updateUserEmail,
    createMagicLink,
    migrateUserFromExternalSource,
    createOrg,
    addUserToOrg,
    deleteUser,
    disableUser,
    enableUser,
    allowOrgToSetupSamlConnection,
    disallowOrgToSetupSamlConnection,
    UserRole,
} = propelAuth.initAuth({
    authUrl: "https://auth.yourdomain.com", // (1)
    apiKey: "YOUR_API_KEY", // (2)
})
  1. The base URL where your authentication pages are hosted. You can find this under the Backend Integration section for your project at https://app.propelauth.com.
  2. You can manage your api keys under the Backend Integration section for your project.

We recommend putting this in its own file and exporting it:

// propelauth.js
const propelAuth = require("@propelauth/node");
module.exports = propelAuth.initAuth({
    debugMode: true,
    authUrl: "https://auth.yourdomain.com",
    apiKey: "YOUR_API_KEY",
})

And then importing just what you need:

const {validateAccessTokenAndGetUser} = require("./propelauth");

Protect API routes

validateAccessTokenAndGetUser

This function takes in the Authorization HTTP header and verifies the request was made by a valid user. It expects the header to be in the format Bearer ACCESS_TOKEN. If the Authorization HTTP header is malformed or doesn't contain a valid access token, an UnauthorizedException is thrown.

const authorizationHeader = // Get the Authorization header from an HTTP request
try {
    const user = await validateAccessTokenAndGetUser(authorizationHeader)
    console.log(`Got request from user ${user.userId}`);
} catch (err) {
    // You can return a 401, or continue the request knowing it wasn't sent from a logged-in user
    console.log(`Unauthorized request ${err}`);
}

The user object looks like:

{
  // the id of the user whose token was provided
  userId: "2667a646-cdef-49da-8580-47e0d73cffa7",
  // For each organization the user is a member of, this is a dict of the organization's id
  //   to some information about the organization.
  orgIdToOrgMemberInfo: {
    "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4": {
      "orgId": "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4",
      "orgName": "ExampleOrganization",
      // This is the role of the user within that organization. See UserRole for more information
      "userRole": UserRole.Owner,
    }
  }
}

validateAccessTokenAndGetUserWithOrgInfo

This function will verify that a request was made by a valid user AND that user is in an organization. It can optionally also check the user's role within that organization.

Argument Description
Authorization HTTP Header It expects the header to be in the format Bearer ACCESS_TOKEN. If the Authorization HTTP header is malformed or doesn't contain a valid access token, an UnauthorizedException is thrown.
Required Org Info An object with optional fields orgId and orgName. This function will make sure the user who made the request is a member of an organization with the specified orgId and orgName. If the user is NOT a member of the specified organization, a ForbiddenException is thrown.
Minimum Required Role (Optional) Make sure the user has at least this role within the org specified by Required Org Info. If not, a ForbiddenException is thrown.

It returns an object with two fields:

{
    user: //...
    orgMemberInfo: //...
}

The user object has the same structure as the return value of validateAccessTokenAndGetUser.

The orgMemberInfo object looks like:

{
  "orgId": "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4",
  "orgName": "ExampleOrganization",
  "userRole": UserRole.Owner, // (1)
}
  1. This is the role of the user within that organization. See UserRole for more information

Fetch user metadata by id

function fetchUserMetadataByUserId(userId: string, includeOrgs?: boolean): Promise<UserMetadata | null>

// Example
const userMetadata = await fetchUserMetadataByUserId(req.user.userId);
console.log({"userId": userMetadata.userId, "email": userMetadata.email, "lastActiveAt": userMetadata.lastActiveAt});

Successful response (UserMetadata):

{
    userId:            "e9d3520f-836e-403c-82c2-09843517e1ce", 
    email:             "user@example.com",
    emailConfirmed:    true,
    hasPassword:       true,

    username:          "example", // (1)
    firstName:         "first", // (2)
    lastName:          "last", // (3)
    pictureUrl:        "https://...", // (4)

    locked:            false, // (5)
    enabled:           true, 
    mfaEnabled:        false, 

    createdAt:         1645131680,
    lastActiveAt:      1650654711,

    // Only returned if includeOrgs = true
    orgIdToOrgInfo: { // (6)
        "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4" : {
            orgId: "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4", 
            orgName: "ExampleOrganization", 
            userRole: UserRole.Owner,
        }
    },

    // Only returned if user was migrated from an external system 
    legacyUserId:    "507f191e810c19729de860ea"
}
  1. Optional: Only returned if you have the field enabled as part of your user schema
  2. Optional: Only returned if you have the field enabled as part of your user schema
  3. Optional: Only returned if you have the field enabled as part of your user schema
  4. Optional: Only returned if you have the field enabled as part of your user schema
  5. True if the user's account is locked for security purposes.
  6. Includes all organizations that the user is a member of

Fetch user metadata by email

function fetchUserMetadataByEmail(email: string, includeOrgs?: boolean): Promise<UserMetadata | null>

// Example
const email = await db.fetchEmailFromAnalytics()
const userMetadata = await fetchUserMetadataByEmail(req.email)
if (userMetadata) {
    console.log("Found user " + userMetadata)
} else {
    console.log("No user found")
}

Successful response is the same as Fetch user metadata by id.

Fetch user metadata by username

function fetchUserMetadataByUsername(username: string, includeOrgs?: boolean): Promise<UserMetadata | null>

// Example
app.get("/username/lookup", async (req, res) => {
    const userMetadata = await fetchUserMetadataByUsername(req.query.username);
    res.json({"userId": userMetadata.userId, "pictureUrl": userMetadata.pictureUrl});
})

Successful response is the same as Fetch user metadata by id.

Batch fetch users by ids

function fetchBatchUserMetadataByUserIds(userIds: string[], includeOrgs?: boolean): Promise<{ [userId: string]: UserMetadata }>

Successful response:

Any IDs that don't have a match are not returned. Duplicate users are only returned once.

{
    "e9d3520f-836e-403c-82c2-09843517e1ce": {
        userId:            "e9d3520f-836e-403c-82c2-09843517e1ce",
        email:             "user@example.com",
        emailConfirmed:    true,
        hasPassword:       true,

        username:          "example", // (1)
        firstName:         "first", // (2)
        lastName:          "last", // (3)
        pictureUrl:        "https://...", // (4)

        locked:            false, // (5)
        enabled:           true,
        mfaEnabled:        false,

        createdAt:         1645131680,
        lastActiveAt:      1650654711,

        // Only returned if includeOrgs = true
        orgIdToOrgInfo: { // (6)
            "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4" : {
                orgId: "2ef0e1fc-234f-4dc0-a50c-35adb1bbb7e4",
                orgName: "ExampleOrganization",
                userRole: UserRole.Owner,
            }
        },

        // Only returned if user was migrated from an external system 
        legacyUserId:    "507f191e810c19729de860ea"
    },
    // other user_ids
}
  1. Optional: Only returned if you have the field enabled as part of your user schema
  2. Optional: Only returned if you have the field enabled as part of your user schema
  3. Optional: Only returned if you have the field enabled as part of your user schema
  4. Optional: Only returned if you have the field enabled as part of your user schema
  5. True if the user's account is locked for security purposes.
  6. Includes all organizations that the user is a member of

Batch fetch users by emails

function fetchBatchUserMetadataByEmails(emails: string[], includeOrgs?: boolean): Promise<{ [email: string]: UserMetadata }> 

Successful response is the same as Batch fetch users by ids, but the keys are matching email addresses.

Batch fetch users by usernames

function fetchBatchUserMetadataByUsernames(usernames: string[], includeOrgs?: boolean): Promise<{ [username: string]: UserMetadata }>

Successful response is the same as Batch fetch users by ids, but the keys are matching usernames.

Search for users

function fetchUsersByQuery(usersQuery: UsersQuery): Promise<UsersPagedResponse>

// Example
const usersResponse = await auth.fetchUsersByQuery({emailOrUsername: "@example.com", orderBy: "LAST_ACTIVE_AT_DESC"})
for (const user of userResponse.users) {
    console.log("Found user " + user)
}
Argument Description
pageSize The number of results to return at a time. Must be between 1 and 100, default 10.
pageNumber Used to page over results
orderBy How to order the results. Must be one of: CREATED_AT_ASC, CREATED_AT_DESC, LAST_ACTIVE_AT_ASC, LAST_ACTIVE_AT_DESC, EMAIL, USERNAME
emailOrUsername Searches for partial matches within email addresses or usernames. port would match a user with email address support@propelauth.com.
includeOrgs Whether or not to include the user's organization information in the response. Default false

Successful response:

{
    "totalUsers": 103, 
    "currentPage": 0, 
    "pageSize": 10, 
    "hasMoreResults": true,
    "users": [{
        // See (1) for example users
    }, {
        // There will be 10 users in this response
    }]
}
  1. Example user in response

Fetch users in organization

function fetchUsersInOrg(usersInOrgQuery: UsersInOrgQuery): Promise<UsersPagedResponse>

// Example
app.get("/org/:orgId/members", requireOrgMember({minimumRequiredRole: UserRole.Admin}), async (req, res) => {
    const usersResponse = await auth.fetchUsersInOrg({
        orgId: req.org.orgId,
        pageNumber: req.params.pageNumber,
    })
})
Argument Description
orgId The organization to fetch users for
pageSize The number of results to return at a time. Must be between 1 and 100, default 10.
pageNumber Used to page over results
includeOrgs Whether or not to include the user's organization information in the response. Default false

Successful response:

{
    "totalUsers": 43, 
    "currentPage": 0, 
    "pageSize": 10, 
    "hasMoreResults": true,
    "users": [{
        // See (1) for example users
    }, {
        // There will be 10 users in this response, all in the specified organization
    }]
}
  1. Example user in response

Create User

function createUser(createUserRequest: CreateUserRequest): Promise<User>
Argument Description
email The user's email address
emailConfirmed Whether the email address should start off as already confirmed. If false, the user is required to confirm the email address before they sign in.
sendEmailToConfirmEmailAddress Whether we should send an email immediately to confirm the user's email address. If false, the user will get a confirmation email when they first sign in.
password Optional password. If unset, the user can set it themselves via their account page
username Optional username. Can only be used if username is enabled in your user schema
firstName Optional first name. Can only be used if name is enabled in your user schema
lastName Optional last name. Can only be used if name is enabled in your user schema

Successful response:

{
    "userId": "b5f667fb-e51a-49c6-a396-711e62948689"
}

Migrate User from External Source

Similar to Create User, but for cases where you already have a user stored in an external system. You can, for example, pass in a password hash for an existing user, and they will be able to login with their same password. It is also possible to provide an existing identifier, and we will store and return it along with our future identifiers, allowing you to link them.

function migrateUserFromExternalSource(migrateUserFromExternalSourceRequest: MigrateUserFromExternalSourceRequest): Promise<User>
Argument Description
email The user's email address
emailConfirmed Whether the email address should start off as already confirmed. If false, the user is required to confirm the email address before they sign in.
existingUserId (Optional) The user's ID in the existing system. This ID will be stored on the user as a legacyUserId and it is present everywhere userId's are (e.g. fetching user metadata or validating a user's token).
existingPasswordHash (Optional) The user's hashed password. We support both bcrypt and argon2 password hashes.
existingMfaBase32EncodedSecret (Optional) The user's MFA secret, base32 encoded. If specified the user will have MFA enabled by default.
enabled (Optional) Whether or not the user can login
username Optional username. Can only be used if username is enabled in your user schema
firstName Optional first name. Can only be used if name is enabled in your user schema
lastName Optional last name. Can only be used if name is enabled in your user schema

Successful response:

{
    "userId": "b5f667fb-e51a-49c6-a396-711e62948689"
}

Creates a magic link that a user can use to log in. Use this API if you'd prefer to send the magic link to the customer yourself, otherwise, we have createUser which will email them directly.

function createMagicLink(createUserRequest: CreateMagicLinkRequest): Promise<MagicLink>
Argument Description
email The user's email address
redirectToUrl (Optional) Where to redirect the user after they login. If unspecified, will use the login redirect path specified in your dashboard.
expiresInHours (Optional) How many hours should the link be valid for?
createNewUserIfOneDoesntExist (Optional) If true, createMagicLink will create a new user if one matching the provided email address doesn't exist. If false, the request will fail if no user with that email exists. Default is true.

Successful response:

{
    "url": "https://auth.yourdomain.com/..."
}

Update User Email

// Returns true if it was successful, false if the user was not found
function updateUserEmailWrapper(userId: string, updateUserEmailRequest: UpdateUserEmailRequest): Promise<boolean>
Argument Description
newEmail New email address for this user
requireEmailConfirmation Whether the new email address requires confirmation. If true, an email will be sent to the new email address to confirm. If false, the users email address will be updated and confirmed immediately.

Update User Metadata

// Returns true if it was successful, false if the user was not found
function updateUserMetadata(userId: string, updateUserMetadataRequest: UpdateUserMetadataRequest): Promise<boolean>
Argument Description
username Optional username. Can only be used if username is enabled in your user schema
firstName Optional first name. Can only be used if name is enabled in your user schema
lastName Optional last name. Can only be used if name is enabled in your user schema

Delete user

function deleteUser(userId: string): Promise<boolean>

Returns true if the user was deleted.

Disable user

function disableUser(userId: string): Promise<boolean>

Returns true if the user was disabled. Afterwards, the user is logged out and unable to log back in.

Enable user

function enableUser(userId: string): Promise<boolean>

Returns true if the user was enabled, allowing them to log in again.

Fetch an organization

function fetchOrg(orgId: string): Promise<Org | null>

Successful response:

{
    "orgId": "d488996d-8ccc-4101-b5f2-131f5f09ddb6"
    "name": "OneOfYourCustomers"
}

Fetch all organizations

function fetchOrgsByQuery(orgQuery: OrgQuery): Promise<OrgQueryResponse>
Argument Description
pageSize The number of results to return at a time. Must be between 1 and 100, default 10.
pageNumber Used to page over results
orderBy How to order the results. Must be one of: CREATED_AT_ASC, CREATED_AT_DESC, NAME

Successful response:

{
    "totalOrgs": 21, 
    "currentPage": 0, 
    "pageSize": 10, 
    "hasMoreResults": true,
    "orgs": [{
        "orgId": "d488996d-8ccc-4101-b5f2-131f5f09ddb6",
        "name": "OneOfYourCustomers"
    }, {
        // There will be 10 orgs in this response
    }]
}

Create Organization

function createOrg(createOrgRequest: CreateOrgRequest): Promise<Org>
Argument Description
name The organization's name

Successful response:

{
    "orgId": "d488996d-8ccc-4101-b5f2-131f5f09ddb6"
}

Add user to organization

function addUserToOrg(addUserToOrgRequest: AddUserToOrgRequest): Promise<boolean>
Argument Description
userId The user's ID
orgId The org's ID
role The role of the user in that organization, e.g. Admin

Returns true if the user was successfully added to the organization.

Allow organization to set up SAML connection

function allowOrgToSetupSamlConnection(orgId: string): Promise<boolean>

Returns true if successful, meaning the organization can now set up SAML connections.

Disallow organization to set up SAML connection

function disallowOrgToSetupSamlConnection(orgId: string): Promise<boolean>

Returns true if successful, meaning the organization can no longer set up SAML connections.

UserRole

A user role is an enum of roles within an organization. The order of user roles with the most permissions to the least are Owner, Admin, then Member.

UserRole.Owner
UserRole.Admin
UserRole.Member