application-level authentication

[mblakele]

There is some app-level auth code in roxy today, but it is incomplete. I have some working code that I plan to clean up, unless someone is already working on this. The code breaks into these pieces:

• Extend req:rewrite to protect pages for which login is required. I did this by adding a new protect element to $ROXY-ROUTES, specifying the regex to protect and the exec privilege(s) required to access it. This is the best place to protect pages, because of the existing redirect handler and no-op.xqy module.
• Extend configuration with a logged-in role and logged-in privilege, distinguished from the default login. The logged-in privilege is a good choice for the req:rewrite protection, and along with the role is useful for distinguishing a logged-in user from unprivileged access.
• Complete login-logout form handling.

[garyrusso]

Glad to see you're working on it. I was just working on some simple user account registration code for a Roxy demo app. The user profile data is stored in Marklogic (/users/jdoe/profile.xml) and a session token is generated for logins. I haven't put any thought into the restricted views yet.

Is there any chance that I can get an early copy of your code?

[mblakele]

Gary, see if you can integrate your profile code with the profile page in this pull request.