Closed sivann closed 7 years ago
You can write a custom rule for that. If a rule return true request will be authenticated. If false request will not be authenticated. Default rules are RequestPathRule and RequestMethodRule. What you are looking for is some kind of combination of those two.
Ah , thank you. I saw the rules implementation, seems very elegant. This is not just an auth module, it's also a "how to code" tutorial :-) You can perhaps add the rules feature to the README as I didn't think to read the code.
Now that you reminded me about it. I should document how to use rules bit better.
In addition to URI/path I think it would be very useful if there could be a way to require auth based on HTTP methods. E.g.: allow all GET and PUT requests to /api/items but require auth for POST and DELETE on /api/items
so $path could be like $path = ['GET'=>['path1','path2'], 'POST'=>..., ALL=>..], same for $passthrough
This can be done on the __invoke function of class implementing the AuthenticatorInterface by differentiating on method like so:
but I think an easier definition would be beneficial.