Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Async AuthorisationStrategy? #3

avimar opened this Issue · 7 comments

4 participants


I wasn't sure where else to ask this.
How do I do an async auth strategy?

e.g. I have a role of editing their own resources -- so I match the credentials to the resource edit request.

But this new case is I want to allow the owner of many sub-accounts to edit the resource. So in that case, I need to do a query to find the owner of that account. (But only if other role-checks fail)

(or maybe I can do this a different way...)

So, is there some way to do async in the AuthorisationStrategy? there's no next(); to not call like in connect middleware...



At the moment this only supports synchronous strategies. The reason for this is that I wanted to support things like:

app.get('/home', function (req, res, next) {
  if ('admin')) {
  } else {

Which wouldn't work with an async API.

It would be cool to have a similar module that did support async, but I don't think it can sensibly be added to this module.


I see.

This is a bit of a hack.. but how about running a middleware before connect-roles that saves the required information into the req object (and then calls next()). I'll give that a try later today...


Yes, I should've commented on that, because this inside the authenticationStrategies refers to the request object, you can load anything you need in advance and put it in the request object. That, for example, is how I tend to load the user itself from the database.

The only downside of doing that it that sometimes you'll be running un-necessary database queries, whereas async authentication strategies would let you run them only when needed.


do you have any example of this middleware that would load data into the request object ?


It's just a middleware that gets run first, something like this:

function checkLogin(req, res, next, hash){
            //do some checks!
                next();//run this once all the async things are finished.

The next version will also support an alternative option whereby all authorisation strategies are allowed to return Promises rather than true/false. This lets them be async, but also means that calls like req.userCan will return a Promise. To enable this, you do:

var ConnectRoles = require('connect-roles');
var roles = new ConnectRoles({async: true});

It's still totally un-tested and un-documented though, so I'm going to leave this open until that gets resolved.


It works, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.