OptimalBits / node_acl

Access control lists for node applications
2.62k stars 371 forks source link

Recommendations for working with JWTs and Sessionless APIs? #137

Open viztastic opened 9 years ago

viztastic commented 9 years ago

Hi there,

I notice that the user details is taken out of session store, is there a recommended way to handle this for the case where I intend to use a stateless authentication technology (such as JWT) ?

A solution that comes to mind is to simply have my JWT authentication middleware populate the session.id object before passing it on to ACL?

Thanks!

pdfowler commented 9 years ago

I'm fighting this myself and debating what direction I want to take my project. I'm about 1/2 ACL and 1/2 middleware - but have to support JWT. I've tried working a passport.authenticate call into my main 'isAllowed' call, but with no luck ...

Did you figure anything out?

yoher commented 8 years ago

Hi, I'm just beginning to use node_acl and facing the same requirement.

I guess the right way to go would be to implement a JWT backend to get the info from the token, to be used instead of one of the existing backends (redis, mongo, memory). The main difference would be that we won't be able to modify the user permissions without issuing a new token (as they would be immutably set and signed in the JWT payload by the authentication provider at creation time). It's not a big problem: it's just the same kind of issue that forces you to logout/login into a linux session when you change your user groups. And with some token renewal mechanism it can be fully transparent to the user.

I'll try to share anything I can come up with on that topic.

/Yoann

ianstormtaylor commented 8 years ago

Did any of you end up solving this? Did you do it with node_acl or another library?

yoher commented 8 years ago

Hi there. Short answer: no. I ended up going back to Java/Springboot for that project, and I've had no time to play with nodejs since then... Good luck with it!

vigneshnrfs commented 8 years ago

I am using meanjs.org in some of my projects and have implemented JWT on top of it.

After passport authenticates using jwt, the user is set in req.user.

You can then use acl.middleware() to get the user info from req.user and check for your permissions.

darkyen commented 8 years ago

@vigneshnrfs That will not work very-well with stateless api's which is exactly JWT's good for. For instance express-jwt

Currently I re-wrote the middleware myself to read roles from JWT's, it treats sub as userId and role as a role claim from JWT.