Hi there,
Just a community member here facing a similar challenge.
Based on reading the source code, I believe this should work:
const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
// See default implementation packages/core/admin/server/strategies/admin.js
//
// the first param of the `register` method is the "type" of endpoints to protect:
// 1. 'admin' - admin UI routes
// 2. 'content-api' - api routes
strapi.container.get('auth').register('admin', {
name: 'your-custom-jwt-verifier',
async authenticate(ctx, next): {
// Get JWT from context and validate.
const { authorization } = ctx.request.header;
if (!authorization) {
return { authenticated: false };
}
const parts = authorization.split(/\s+/);
if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
return { authenticated: false };
}
const token = parts[1];
const { payload, isValid } = validateJwtSomehow(token);
if (!isValid) {
return { authenticated: false };
}
let user = await strapi
.query('admin::user')
.findOne({ where: { id: payload.id }, populate: ['roles'] });
// handle missing user
if (!user) {
}
ctx.state.user = user;
ctx.state.userAbility = await strapi.service('admin::permission').engine.generateUserAbility(user);
return { authenticated: true, credentials: user };
},
async verify(ctx, next) {
const { credentials } = ctx.state.auth;
if (!checkIfCanAccessAdminTools()) {
throw new ForbiddenError();
}
return
}
});
I’ll circle back once I’ve validated if this approach works, and probably submit a PR to update the docs.