New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Spike] Investigate the minimal infrastructure we need to support authorization #2718
Comments
See #2687. Please note the middleware layer does not have information about the target method and corresponding arguments and context. It's probably not suitable for authorization decisions. |
Investigate |
Interceptors are great because they are quite simple, they are just annotations with a clear semantic purpose : modify the incoming request and/or the out coming response. However this simplicity implies a few limitations :
These problems can be over come, of course :
For those reasons I think the sequence approach is the most reasonable : your sequence action is always called, so you have a default security behaviour. You can declare specific authorization behaviours by using annotation on the class or the method you want. You always know when your sequence action will be executed ; if you need extra context execution such as loading database-stored ACLs, you can declare those by using previously mentioned annotations. EDIT : the minimal infrastructure required for my proposal is :
|
Related: #1462 |
We support global interceptors that are bound the context with a special tag.
We define the order of execution. See https://github.com/strongloop/loopback-next/blob/interceptor/docs/site/Interceptors.md for more details. |
I've think about it lot. Global interceptors solve the first issue I mentioned, but the second about third parties was not answered. I was unable to find the definition of order execution of global interceptors in your doc, beside local interceptors. The order of execution must be defined in user land, not in the interceptor itself. This being said, interceptor pattern seems fine to me. |
Interceptors are now supported. We also allow you to control order of global interceptors. |
See PR #1205 |
Based on #1205, we can use |
Description / Steps to reproduce / Feature proposal
Capturing the discussion with @raymondfeng @bajtos
There are different choices to support authorization:
@raymondfeng did some initial investigation and think interceptor might be a better approach, because middleware doesn't have access to the target method.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: