Closed slifty closed 5 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 87.82%. Comparing base (
9939440
) to head (e7e681f
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Approval (and vacation zone) appreciated but just to clarify for this concern:
If authorization middleware is split from authentication middleware, we could imagine a (bad) situation where authorization middleware says "OK, all good" with a bad token
The only thing populating the auth
variable is the jwt middleware, so under this current code base that won't be any more possible than it was before (basically, the jwt middleware is the thing that would be duped by a bad token). If the jwt middleware doesn't run, or doesn't recognize a valid token, then I believe auth
wouldn't be populated (I'm actually going to add a test for this, to make sure I'm understanding the jwt middleware properlty).
If the jwt middleware somehow gets moved or not run for an endpoint (right now it is universally run), then auth
would not be populated regardless of a good, bad, or nonexistant token being passed.
Does that make sense?
Added better tests! (that was... quite a journey -- fun fact, if you want to test proper jwt parsing you need to make the test an integration test!).
The tests as written were passing, but that's because the jwt stuff was all happening asynchronously / wasn't aligned with the test, and there was no positive test case 😬
Hooray for better tests!
This PR changes authentication so that it is both a universal step AND the act of checking authentication is not in itself an act of authorization. It also adds adds a simple authorization middleware which verifies that the request is associated with a valid authentication object.
Functionally this should not result in any changes to the API (so no impact on version / changelog) -- however it should allow for support for users in future!
Resolves #870 Related to #710