search

vapor / fluent

Vapor ORM (queries, models, and relations) for NoSQL and SQL databases
https://docs.vapor.codes/4.0/fluent/overview/
MIT License
1.32k stars 172 forks source link

ModelTokenAuthenticatable usage #676

Closed massimodileonardo closed 4 years ago

massimodileonardo commented 4 years ago

If I setup an authentication system as explained in Vapor 4.0 -> Secutity -> Authentication

let tokenProtected = app.grouped(UserToken.authenticator()) tokenProtected.get("me") { req -> User in try req.auth.require(User.self) }

should the tokenProtected group block all requests with missing or wrong tokens, even without calling try req.auth.require(User.self)?

I can obtain this behavior only adding a guardMiddleware

let tokenProtected = app.grouped(UserToken.authenticator(), UserToken.guardMiddleware())

0xTim commented 4 years ago

No, the tokenProtected group will only authenticate requests with the provided token. If the token doesn't exist or is invalid then it will just continue. This allows you to chain multiple authentication middlewares together.

If you want to block routes to unauthenticated users (which is a perfectly valid use case) then you need to use GuardMiddleware as you've seen.

massimodileonardo commented 4 years ago

Thanks for the explanation.

Il giorno 14 apr 2020, alle ore 12:46, Tim Condon notifications@github.com ha scritto:

 No, the tokenProtected group will only authenticate requests with the provided token. If the token doesn't exist or is invalid then it will just continue. This allows you to chain multiple authentication middlewares together.

If you want to block routes to unauthenticated users (which is a perfectly valid use case) then you need to use GuardMiddleware as you've seen.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.