Authentication schemes cannot be configured per request method

[dmcgillen]

It looks like authorization can be applied per request method of a resource, e.g. :access-control {:authorization {:methods {:get :admin}}}, but :scheme, which sits directly under :access-control, applies to the whole resource.

My use case is I have a /users resource, for which POST creates a user (no auth) and GET allows retrieving multiple users based on query parameters (requires a token with an admin role). The requirement of a token is specified by my custom auth scheme, and the requirement of the :admin role is specified in my authorization map for the GET method. The problem is that the custom auth scheme is also applying to the POST request method which does not contain a token.

[malcolmsparks]

The custom auth scheme in this case should enquire in the ctx about the request method and act accordingly. Generally, an auth scheme protects a resource and should consider which method is being used in determining access. For example, a CORS implementation requires that a client can call OPTIONS to find out whether they can POST. Resources are the indivisible unit of coherence in yada, not request methods.

[dmcgillen]

The custom auth scheme (checks for a token in an auth header and decodes it to get roles) is not specific to this resource and so I do not want it to contain config specific to a resource (I use it on many other api resources, many of which have POSTs that do require a token).

[SevereOverfl0w]

Your authentication should run no matter the method, but your authorization may need to look at the ctx in order to decide how to authorize.

I think authorization should be easier in this respect, but authentication works correctly.