search

endpoints / endpoints-example

an example api written using endpoints
79 stars 21 forks source link

demonstrate auth implementation by including passport? #18

Open ashleygwilliams opened 9 years ago

ashleygwilliams commented 9 years ago

auth is super common in projects. what are our thoughts on adding passport to this example?

jamesplease commented 9 years ago

I def. see there being value in this, so I'm down for adding it. @tkellen, I think you've thought more about auth than I have, so I'm curious to hear your thoughts.

tkellen commented 9 years ago

This is sorely needed. Right now we have no support for auth and no way to pass around the current user. There is a clear location for the current user to be picked up so it can be used in CRUD actions, we just haven't needed it yet.

I'm :+1: to adding passport and to getting res.user populated so we can start by adding it to the endpoints "request object".

Once we have that, we have to take it a step further and figure out a convention based way to weave that user into CRUD responsibilities.

For example, when interacting with resources and relationships, we need a hook to support checking if our user can do something.

I'm imagining that we have an allowedFor(user, method, idOrIds) hook on models (I had this in the original endpoints) that does the following:

  1. If passed user/method, returns a query builder that if executed would return all ids valid for the requested method. This can be interleaved into a read request easily to limit access to what the user can see, or used directly to get the ids so they can be operated on further.
  2. If passed user/method/id, returns a promise that resolves if the user has access and rejects if not.
  3. If passed user/method/ids --- ??? returns a promise that resolves to the valid ids? rejects if any are not allowed, while also supplying the valid ids?
  4. Allows any arbitrary "method" to be added for custom handling.

All of this will be pretty straightforward to implement, it's the documentation around usage that is going to need a lot of love.

ashleygwilliams commented 9 years ago

hey so i have an auth implementation in https://github.com/artisan-tattoo/assistant-api using passport, it's verrrrrrrrrrrry simple, basically just shows how to add it, not even really use it. we could start with this and move forward?

tkellen commented 9 years ago

We either need to add a users table to the fantasy-database repo and update here accordingly, or use a hard-coded user/pass. Thoughts?

ashleygwilliams commented 9 years ago

i think just starting with hardcoded user/pass might make it simple enough for a first go and then make it more complicated from there when we have more time to write docs (i.e. i catch up the docs to where we are at the moment)

UmarFKhawaja commented 8 years ago

Hi folks,

Where is this effort now?

Thanks.