Print.World Backend

Endpoint Authentication Types

All authentication is centralized in route-generator.ts. Each route explicitly declares its auth type at definition time using one of 6 factory functions.

Quick Reference

Type Factory Function Auth Header Use Case
PUBLIC getPublicPath None Login, signup, public data
USER getUserAuthPath authorization Standard authenticated endpoints
RESTRICTED getRestrictedUserAuthPath authorization + whitelist Beta, premium features
ADMIN getAdminAuthPath custom-admin-auth Diagnostics, config, cache
BACKEND getBackendAuthPath internal-auth Service-to-service (Kafka)
API KEY getRestrictedUser...AllowedKeys authorization or x-print-api-key Buy/sell tokens via API key

Detailed Breakdown

getPublicPath

noAuthRequiredPreHandler

PUBLIC

No authentication required. Sets request.user = { id: '' } with an empty ID. Includes mock handler support for testing.

// Example routes
server.post('/connect-wallet', getPublicPath('connectWithWallet'))
server.post('/sign-transaction', getPublicPath('signTransaction'))

getUserAuthPath

authUserPreHandler

USER

Standard JWT authentication. Requires authorization header with a Firebase ID token. Also accepts custom-admin-auth for Postman testing. Validates via AuthService.validateToken() and sets request.user = { id: userId }.

server.post('/generate-mobile-session-token', getUserAuthPath('generateMobileSessionToken'))

getRestrictedUserAuthPath

restrictedAuthUserPreHandler

RESTRICTED

JWT + UID whitelist. Same as getUserAuthPath plus checks Firebase settings: restrictByUid and allowedUids. Blocks non-whitelisted users even if they have a valid token.

server.post('/create', getRestrictedUserAuthPath('createToken'))

getAdminAuthPath

authAdminPreHandler

ADMIN

Admin-only operations. Requires custom-admin-auth header matching PrintConstants.ADMIN_AUTH_KEY. Controlled by Firebase setting allowAdminKeyFromPostman. No JWT needed.

server.get('/secrets', getAdminAuthPath('getSecrets'))
server.post('/clean-mobile-session-tokens', getAdminAuthPath('cleanMobileSessionTokens'))

getBackendAuthPath

backendAuthPreHandler

BACKEND

Service-to-service communication. Requires internal-auth header matching PrintConstants.INTERNAL_ENDPOINTS_AUTH_KEY. For internal Kafka processors and orchestrators. Not exposed to external clients.

server.post('/store-keypair', getBackendAuthPath('storeKeypair'))

getRestrictedUserAuthPathAllowedKeys

restrictedAuthUserApiKeyPreHandler

API KEY

Dual authentication: supports JWT OR x-print-api-key header. Checks UID whitelist when enabled. Includes an onSend hook for API key usage logging.

server.post('/buy', getRestrictedUserAuthPathAllowedKeys('buyToken'))
server.post('/sell', getRestrictedUserAuthPathAllowedKeys('sellToken'))

Key Format

pk_live_...  /  pk_test_...

Security

SHA-256 hash, timing-safe compare

Authentication Flows

JWT Validation

authUserPreHandler
Check custom-admin-auth header
Check authorization header
Throw error if neither found

API Key Fallback

restrictedAuthUser...PreHandler
Try JWT from authorization
Fallback to x-print-api-key
Validate via ApiKeyService
Set request.apiKeyContext

Dynamic Configuration

Real-time Firebase-backed settings at /api-settings that control auth behavior. Hot-reloads on changes.

allowAdminKeyFromPostman

Enable admin key testing

restrictByUid

Enable UID whitelist

allowedUids

Whitelisted user IDs

allowTokenCreation

Feature flag

Key Files

route-generator.ts — All 6 auth types, pre-handlers, route factories
auth-service.ts — Wallet, Google, Telegram, token validation
api-key-service.ts — API key lifecycle (generate, validate, log, deactivate)
firebase-settings.ts — Dynamic UID whitelist, admin key control
ai-token-guard.ts — Pre-charge/refund system for AI endpoints