Open raphaelhoffmann opened 8 years ago
See the following instructions for how to use this module.
https://github.com/HazyResearch/mindbender/blob/oauth-support/auth/README.md
First of all, thanks for sharing this high-quality code. I also want auth support in mindbender, but some parts of this PR feel like an overkill. Here are my questions:
/
? Shouldn't it be a middleware that gatekeeps all paths (except the one for authentication)?You're right that this could be improved in several ways. It's the quickest thing we could come up with, and I thought I'd separate it out from the other changes we're making in case you are interested in picking it up and enhancing it. There are definitely a few things you might want to change.
Is it difficult to simply have a switch in the config file for oauth?
Chris
On Sun, Sep 20, 2015 at 6:07 PM Raphael Hoffmann notifications@github.com wrote:
You're right that this could be improved in several ways. It's the quickest thing we could come up with, and I thought I'd separate it out from the other changes we're making in case you are interested in picking it up and enhancing it. There are definitely a few things you might want to change.
- Yes. It should check other paths as well, and could be called as some sort of middleware to avoid calls to ensureAuthenticated in submodules.
- Right, a simple username/passwords strategy and other OAuth providers would be interesting as well. At this moment, we only need OAuth with Google, so we built the MVP :).
- JSON files instead of mongo is fine too. I would also add that the authentication works quite well, but there might be a more elegant approach to authorization (I couldn't find a good example for that).
— Reply to this email directly or view it on GitHub https://github.com/HazyResearch/mindbender/pull/48#issuecomment-141852168 .
Just to second @netj and @chrismre,
Confirmed: anonymous users can bypass this middleware and successfully query the ES proxy (even if the request has not csrftoken cookie). I'm not familiar with nodejs enough to fix it.
@netj Added basic support for authentication and authorization. If you have time, you might want to look if you want to integrate this into Mindbender.