search

vapor / auth

👤 Authentication and Authorization framework for Fluent.
53 stars 34 forks source link

consider including JWT by default #53

Closed tanner0101 closed 5 years ago

tanner0101 commented 6 years ago

Providing a JWT auth middleware by default could be a nice addition to this package. Vapor's JWT package would be a lightweight dep since Auth already relies on Crypto.

final class JWTAuthenticationMiddleware<U>: Middleware where U: Authenticatable & JWTPayload {
    let signer: JWTSigner

    init(_ type: U.Type, signer: JWTSigner) {
        self.signer = signer
    }

    /// See `Middleware`.
    func respond(to req: Request, chainingTo next: Responder) throws -> EventLoopFuture<Response> {
        // fetches the token from `Authorization: Bearer <token>` header
        guard let bearer = req.http.headers.bearerAuthorization else {
            // no authorization header, pass along un-authenticated request
            return try next.respond(to: req)
        }

        // parse JWT from token string, using configured signer
        let jwt = try JWT<U>(from: bearer.token, verifiedUsing: signer)
        try req.authenticate(jwt.payload)

        // pass along authenticated request
        return try next.respond(to: req)
    }
}
0xTim commented 6 years ago

I disagree with this - it pulls in yet another dependency that a large number of people wouldn't use. People on web won't use JWT and I personally don't like it for doing API auth either - JWT is pretty terrible for authenticating users, since you can't blacklist tokens or sign users out etc.

My (highly opinionated) $0.02 😆

tholo commented 6 years ago

Not so sure about the "can't blacklist tokens" and "sign users out" parts of your argument -- a "normal" implementation of JWT is that you use a short-lived token (typically a few minutes at most), with a database-backed "refresh token", and if the latter is revoked then you won't be able to get a new JWT token without logging in again. So you have been effectively signed out / blacklisted.

That said, the middleware should probably be added to the JWT package and not to the Auth one?

valeriomazzeo commented 5 years ago

Vapor is not necessarily a dependency on vapor/jwt nor is Authentication.

It would make more sense to have another package vapor/auth-jwt which depends from:

This new repository essentially would be a Vapor 3 version of vapor-community/jwt-provider which has been deprecated leaving everyone that was using it absolutely without an alternative.

See also https://github.com/vapor/jwt/issues/87

valeriomazzeo commented 5 years ago

This provides a similar functionality to the old vapor-community/jwt-provider: https://github.com/asensei/vapor-auth-jwt

0xTim commented 5 years ago

Closing due to inactivity - feel free to reopen!