Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticating and creating #100

Closed
startupthekid opened this Issue Mar 12, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@startupthekid
Copy link

startupthekid commented Mar 12, 2016

I propose adding a config option that allows the user to specify if the auth service should automatically create a user if passport authentication fails due to the account not existing.

The authentication call would look something like:

this.app.service(this.options.userEndpoint)
      .find(params)
      .then(users => {
        // Paginated services return the array of results in the data attribute.
        let user = users[0] || users.data && users.data[0];
        // Handle bad username.
        if (!user) {
            if (this.options.createIfNonexistent) {
                this.app.service.create(params).then(newlyCreatedUser => return newlyCreatedUser)
           }
          return done(null, false);
        }

        return user;
      })

My example isn't 100% correct but you get the gist of the idea. Right now the way things work you'd first have to make a POST call to your user service to create the user, then a call to login which means the create call on the user service has to be an exposed endpoint.

What I want to be able to do is:

userService.before({
    create: [
        hooks.disable('external'),
        authHooks.hashPassword()
    ]
});

Another idea could be to have a configuration option for a signup route, which would hash the password (if a password is supplied), create a user, then generate a token.

@daffl do you have any thoughts on something like this?

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 12, 2016

I had thought about this and intentionally left it off because creation is just a POST to /users. OAuth does already create a user if they don't exist.

@daffl and I talked about this today in fact. I'm not 100% sold on the idea, not because it isn't good, but because I don't want to bloat feathers-auth when feature is going to be dependent on your business logic a bit.

@startupthekid let me stew on it for a day or so. I'm going to be doing some auth work this weekend most likely so I'll hopefully have some time to spike it out along with the work I've been doing on the password service.

@startupthekid

This comment has been minimized.

Copy link
Author

startupthekid commented Mar 12, 2016

That does make sense, avoiding bloat is generally a good thing. And to play devil's advocate to my own idea, the less unintended side effects there are the easier it is to understand for the end user. And it's not like you can't lock down the api further using a custom hook and an api key or something similar.

Now that I think about it, while it might be useful feature, it might not be needed. I like the idea of pure functions i.e. it only does one thing and there are no side effects involved.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 12, 2016

@startupthekid It's definitely not a no. I just need a bit of time to think about it and spike it out to see how it would look with the work I'm doing with Password management. So thanks for the suggestion and creating the issue! 😄

@ekryski ekryski added the Feature label Mar 26, 2016

@ekryski ekryski added the Proposal label Apr 24, 2016

@ekryski ekryski added the Discussion label May 21, 2016

@ekryski ekryski added this to the 1.0 milestone Dec 30, 2016

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Dec 30, 2016

You can now do this with auth v1.x by simply wrapping your auth.hooks.authenticate hook and catching the error and creating a user and authenticating again.

Alternatively, you could implement a custom verifier for your auth provider that does this internally as part of the verification process.

@ekryski ekryski closed this Dec 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.