Closed krainboltgreene closed 7 years ago
This is also where we figure out how to handle authentication and authorization.
So here's what the server knows:
Authentication
or Authorization
header.Authentication: Bearer xyz123
.middleware.rb
.rack.authentication
, on the rack environment object.rack.authentication
.{
"session" => {
"id" => "..."
}
}
["session", "id"]
and use that to initialize a new Session
model.Session
model will then determine what account the request comes from.Session
is stored in the controller method current_session
.Account
is stored in the controller method current_account
.context
which returns this:
{
current_account: ...
}
Here's what we have to figure out:
On it! I know, I really wanna use JWT because I want to push it forward for other projects but I haven't settled on a library. :/ @krainboltgreene
@btamayo In the meantime I've gone with a really simple scheme.
Authentication: Bearer {{token}}
, decrypt the token to get the account id, authorize based on that.As long as anyone has a token that decrypts to a account id, they are that account. It's essentially just a password. Not the most secure and subject to replay attacks and I can't kill individual sessions.
Projects have:
www: https://github.com/lacqueristas/www/pull/160 origin: https://github.com/lacqueristas/origin/pull/5