Closed massimodileonardo closed 4 years ago
No, the tokenProtected
group will only authenticate requests with the provided token. If the token doesn't exist or is invalid then it will just continue. This allows you to chain multiple authentication middlewares together.
If you want to block routes to unauthenticated users (which is a perfectly valid use case) then you need to use GuardMiddleware
as you've seen.
Thanks for the explanation.
Il giorno 14 apr 2020, alle ore 12:46, Tim Condon notifications@github.com ha scritto:
No, the tokenProtected group will only authenticate requests with the provided token. If the token doesn't exist or is invalid then it will just continue. This allows you to chain multiple authentication middlewares together.
If you want to block routes to unauthenticated users (which is a perfectly valid use case) then you need to use GuardMiddleware as you've seen.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
If I setup an authentication system as explained in Vapor 4.0 -> Secutity -> Authentication
let tokenProtected = app.grouped(UserToken.authenticator()) tokenProtected.get("me") { req -> User in try req.auth.require(User.self) }
should the tokenProtected group block all requests with missing or wrong tokens, even without calling try req.auth.require(User.self)?
I can obtain this behavior only adding a guardMiddleware
let tokenProtected = app.grouped(UserToken.authenticator(), UserToken.guardMiddleware())