search

pauljamescleary / scala-pet-store

An implementation of the java pet store using FP techniques in scala
Apache License 2.0
1.07k stars 209 forks source link

Add authentication middleware #49

Open pauljamescleary opened 6 years ago

pauljamescleary commented 6 years ago

Implement authentication middleware for logged in endpoints.

It appears as though TSec is the way to go here...

https://jmcardon.github.io/tsec/docs/http4s/auth-jwt.html

Need a few things here:

  1. Need some kind of login endpoint. That endpoint will take the user and password and generate the token
  2. Need authentication middleware using TSec
  3. Need to update any HttpServices that should be authenticated. Certainly placing orders
pauljamescleary commented 6 years ago

This issue introduces the concept of a User. Authenticated endpoints (which include all endpoints except signup and login) will now need to be Auth'd.

All services will have to take a user. For example, if someone POSTs a new pet, we should associate the user id of the user who created it. Similarly, when someone POSTS a new order, we should save the user id on the order as well.

I am still working through the particulars of TSec, may reach out for some help.

monadplus commented 5 years ago

@paulcleary @zakpatterson I wanted to give a try to TSec so I started working on the issue. I have the implementation almost ready but I python is a no-no for me. Do you want me to leave PR without the Python part for someone who is willing to help with it ? Or nah ?

zakpatterson commented 5 years ago

I think starting a work-in-progress PR for the TSec stuff, and just leaving off the integration testing for it is a great idea.

As an aside, I do think the python has instructive value for people that come to the project from a python background. I also think adding integration testing using http4s's client libraries would be valuable. Once integration testing is built out using http4s I think there would be a case to be made to drop the python one since maintaining both would be annoying.

monadplus commented 5 years ago

I agree. It would be great for someone new to fs2 to build integration tests using the streaming http client from http4s. Although you could just run the non-streaming one which is designed specifically for testing.

I'll try to finish and polish the work-in-progress PR about TSec during the next week. Some feedback will be nice :)