Dynamic authentication scopes #2532
Conversation
lib/auth.js
Outdated
There was a problem hiding this comment.
Are you sure you don't you want + instead of * ?
|
Thinking it may be wise to white list the parameters the dynamic scope is able to access, allowing anything on the request seems like asking for trouble |
|
Ok, I think I feel ok about this since it only allows the scope to contain things the user is sending in. This should eliminate the possibility of a malicious user exploiting this feature to leak data. |
lib/auth.js
Outdated
There was a problem hiding this comment.
Does this needs to be a function? Why not just inline the logic inside the for loop?
There was a problem hiding this comment.
This was because the linter throws a "don't make functions within a loop" warning, so I moved it out of the loop
|
added the tests you wanted, moved the code to make sure the scope is an array to route setup, and tweaked the loop stuff a little. i kept the logic of the replacing in a function to avoid the "don't create functions in a loop" linter warning. |
lib/auth.js
Outdated
There was a problem hiding this comment.
You need to set a flag when a route contains a scope with valid {} template parameter, then only call this replace logic if that flag is set. Otherwise you are wasting cycles for the 99% not using this feature.
Dynamic authentication scopes
|
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
I took the simplest approach that I could think of here. Let me know if anything should be changed.