mattdimeo
commented
1 year ago Apologies, it appears equivalent functionality already exists.
Closed mattdimeo closed 1 year ago
mattdimeo
commented
1 year ago Apologies, it appears equivalent functionality already exists.
It seems likely that most users of this module will want to know which user actually authenticated, which requires parsing the Authorization header, which this module is already doing.
I suggest setting req.authUser to the username part of the decoded header upon a successful authentication. Including it on failed auths seems like a security bug magnet, so I'd be inclined not to do that.