m4v15
commented
6 years ago @des-des
We're thinking now that validateJWT and validateHeader will let anyone through, whether logged in or not (using credentials_required=false) and then we should build a permission layer that just checks whether they are logged in or not, and if so then let them through to the next permission layers (checking their role etc).
All the validateX functions will do is populate req.user (or not, if they aren't logged in)
related #27
never nexts an error, this should be handled by the permissioning middleware.