Open robertjd opened 9 years ago
I'd like to see:
stormpath.authenticationRequired
(to look at all forms of authentication and try whatevers -- this would be a synonym for loginRequired so as to not break backwards compat in 2.x)stormpath.apiAuthenticationRequired
(to look for either oauth2 or basic)stormpath.basicAuthenticationRequired
(to look for basic only)stormpath.oauthAuthenticationRequired
(to look for oauth2 only)stormpath.cookieAuthenticationRequired
(to look for cookie auth only)This is really nice! :+1:
But regarding the names, how about something like this instead:
stormpath.middleware.auth.all
stormpath.middleware.auth.api
stormpath.middleware.auth.basic
stormpath.middleware.auth.oauth
stormpath.middleware.auth.cookie
Maybe too long, but I don't like the ...AuthenticationRequired
on all middlewares, would prefer a namespace instead :)
Hm.. I'm torn. Cause I like namespacing in some cases too, but I never see people do it this way in Node, feels really java-esque :(
I don't think the namespace is required at this time. P.S @timothyej :)
I'm on board with the list by @rdegges - but with the small change that oauthAuthenticationRequired
should be oauth2AuthenticationRequired
(I inadvertently omitted the 2 in my original comment)
+1 for that
+1
But what do you think about:
stormpath.requireAuthentication
stormpath.requireApiAuthentication
stormpath.requireBasicAuthentication
stormpath.requireOAuth2Authentication
stormpath.requireCookieAuthentication
Personally for me this is easier to remember (and aligns more nicely) since they all start with require
. Also feels more assertive, and doesn't it make more sense with require
since required
is past tense?
I like this list, it's definitely a lot clearer than loginRequired
and apiAuthenticationRequired
I'm also liking the require prefix.
New question: what to do with our getUser
middleware? This middleware is essentially requireAuthentication
, but without the require part :) For all of these proposed authenticators, I can see how it would be useful to resolve the user, via the specified means of authentication, but not 401/error if the resolution cannot be done. Just call next() instead.
How about requireUser
? ;)
How often do you think that people need to request a specific form of auth, vs. a user in general? If the 80% use case is resolving a user, then I'd suggest:
getUser
requireUser
requireApiAuthentication
etc
I feel like these middleware function's don't accurately describe what's going on under the hood.
I feel that
loginRequired
would be more appropriately namedcookieAuthenticationRequired
And
apiAuthenticationRequired
should be broken out intooauthAuthenticationRequired
andbasicAuthenticationRequired
Further, I think we should create a parent middleware,
authenticate
which determines which authentication strategy to use.