Open Axort opened 2 years ago
ptrkstr
commented
2 years ago Hey @Axort, thanks for reaching out. I'd like to keep the caller responsible for where APIKeyMiddleware receives its keys from, not have APIKeyMiddleware manage the retrieval. However you've given me an idea that maybe the API Keys to match against could also be returned through the delegate incase the API Keys were to change at runtime?
Axort
commented
2 years ago Ah, that's a good idea!
Perhaps you can keep the constructor as it is right now but having the keys array as optional. Then you can check if keys is nil, then you can call the delegate to retrieve it from there OR just keep the delegate for the keys retrieval and leave the constructor with only the delegate param.
ptrkstr
commented
2 years ago Hi @Axort sorry for the delay, I will work on this, this week.
It would be great if we can store an API Key in the db (with a migration using bcrypt) and then check if the api-key header is valid against multiple api-keys stored in the DB. Maybe do something like what Fluent has in ModelAuthenticatable or in ModelTokenAuthenticatable.
Having multiple api-key allows controlling which client can access the data.