Multiple authorization methods

[radexpol]

I would like to use both - session based and JWT authorization method. When I detect the BASIC auth header - I want to use TMVCBasicAuthenticationMiddleware ELSE when I detect the BEARER auth header - I want to validate tokens

  FMVC.AddMiddleware(TMVCBasicAuthenticationMiddleware.Create(Self)); -> lets try login/pass

  FMVC.AddMiddleware(TMVCJWTAuthenticationMiddleware.Create(
      TTokenRequests.Create, nil, JWTEncryptionKey,
      '',
      [TJWTCheckableClaim.ExpirationTime, TJWTCheckableClaim.NotBefore, TJWTCheckableClaim.IssuedAt]); -> else, lets validate token

the flow of authorization is not quite clear for me. Even if I'm correctly logged-in using the basic auth, the JWT raises exception that JWT header not found. The code seems strange for me:

procedure TMVCBasicAuthenticationMiddleware.OnBeforeControllerAction(
  AContext: TWebContext;
  const AControllerQualifiedClassName, AActionName: string;
  var AHandled: Boolean);

begin
....

  if IsAuthorized then
    AHandled := False  -> is this correct? If we set AHandled = false the other authorization methods will be tried so JWT will fail 
  else
  begin
    if IsValid then
      Send403Forbidden
    else
    begin
      SendWWWAuthenticate;
    end;
  end;
end

When I changed it to AHandled := True, the login process is ok.

[radexpol]

No, AHandler is not a solution, it prevents from handling endpoint methods, I thought it is related to authorization.

[fastbike]

I've got a similar issue, I need to be able to store the jwt in a session as some clients use a different endpoint to initially access my app, and so will never send an authorization header. I will create a new issue ticket though.