application-level authentication #79

Open
mblakele opened this Issue Jan 31, 2013 · 2 comments

2 participants

@mblakele
MarkLogic member

There is some app-level auth code in roxy today, but it is incomplete. I have some working code that I plan to clean up, unless someone is already working on this. The code breaks into these pieces:

  • Extend req:rewrite to protect pages for which login is required. I did this by adding a new protect element to $ROXY-ROUTES, specifying the regex to protect and the exec privilege(s) required to access it. This is the best place to protect pages, because of the existing redirect handler and no-op.xqy module.
  • Extend configuration with a logged-in role and logged-in privilege, distinguished from the default login. The logged-in privilege is a good choice for the req:rewrite protection, and along with the role is useful for distinguishing a logged-in user from unprivileged access.
  • Complete login-logout form handling.
@garyrusso

Glad to see you're working on it. I was just working on some simple user account registration code for a Roxy demo app. The user profile data is stored in Marklogic (/users/jdoe/profile.xml) and a session token is generated for logins. I haven't put any thought into the restricted views yet.

Is there any chance that I can get an early copy of your code?

@mblakele
MarkLogic member

Gary, see if you can integrate your profile code with the profile page in this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment