Several basic questions on design and operation #112
Replies: 2 comments 7 replies
-
Happy to help, thanks for reaching out.
Correct.
That's right. The macros are hopefully helpful defaults, but for complete control, you're able to implement your own access control middleware which would leverage
It can be used elsewhere too and in fact once you've installed the auth layer, you can use
This is a good question and I'd like to try to spend some time putting together better examples around this to help demonstrate some of the patterns we think will work best.
Correct. This is encapsulated by
This sounds like something isn't working as intended--do you have an example you can share?
Not the user, but the user ID.
It's not impossible but it puts more constraints on the generics. This design is heavily influenced by Django's auth middleware, so the API is meant to be quite similar to that. |
Beta Was this translation helpful? Give feedback.
-
Why it's not a good idea to install tower-sessions multiple times? If for example I want to save some custom configuration in the user's session, to use in AuthSession I would have to modify the User struct, but with tower-sessions I can just insert it directly. Is that correct? What would be the best approach? |
Beta Was this translation helpful? Give feedback.
-
I have a bunch of questions which probably would be obvious to someone with more experience with session management, but I'm a noob, and I didn't see the answers in the docs, so ... here I am ... will appreciate any help!
The
AuthManagerLayer
is intended to be used across all routes which might want or set auth session information, but does no access control itself, right? You need to either use the supplied macros or write your own checks, correct?The
AuthManagerLayer
uses aSessionManagerLayer
internally to manage the cookie, yes? Is that session layer only for use by the auth layer, or can it be used separately? If separately, should it be added to the router? Also, theAuthManagerLayer
has a pointer to aBackend
, which likely overlaps with backend resources that might be passed around in an AppState extension. Overall, how should responsibilities be assigned to the auth, session, and state layers/states added to the router?Is
AuthnBackend::get_user()
called for every request? I'm trying to figure out why one of my handlers is failing to find aUser
in its auth context, and noticed thatget_user()
isn't called on those requests, which seems weird. If it's not called on every request, how is it supposed to be used? If it is supposed to be called on every request, what might cause it to fail to be called?Relatedly, isn't the
User
stored in the sessionMemoryStore
? In that case, we shouldn't need to callget_user()
on each request, but then, what isget_user()
for; why couldn'tauthenticate()
do the workget_user()
does and stash the output in the session store?Beta Was this translation helpful? Give feedback.
All reactions