Simplifies the exception and status code handling #302
Conversation
|
Thanks for pinging me on this, but I won't have a chance to look at it until Friday morning. If you can wait that long I'll gladly review this. |
|
@igorbernstein Sure, I can wait! |
| * | ||
| * @param msg The exception message. | ||
| */ | ||
| def this(msg: String) = this(msg, null) |
There was a problem hiding this comment.
you could use default constructor param
class ForbiddenException(msg:String, cause:Throwable = null)
|
@akkie looks very good. |
|
I'm looking through this now, a couple of early thoughts (I'll try to solidify tomorrow):
|
|
I'm not really sure if the terms In Silhouette a user is not-authenticated and not-authorized. It is bad that the terms So my proposal would be to rename the methods to Any thoughts? |
|
@igorbernstein Thanks for your comment. I will not update the doc anymore, because I've moved the documentation to http://silhouette.readme.io. I'll remove the current doc and the current page with the next release. The problem with the To your last point. We could introduce different types of exceptions for the different cases. But at the end all the different types will handle the two fallback methods. So I'm not sure how this could improve the lib. Could you please provide an example? Anyway the register and login actions are not part of the core. So a user could implement custom exceptions if needed. |
|
re: NotAuthenticated/NotAuthorized NotAuthenticatedException => NotAuthenticatedEvent => handleNotAuthenticated But I still think the providers should have a separate exception for when the user types in a wrong password or cancels an oauth flow. Maybe AuthenticationFailedException? I don't think this exception would be related to the two fallback methods. This exception should to be handled locally in the developer's implementation of the CredentialsAuthController & SocialAuthController. It makes sense to have global handleNotAuthenticated/handleNotAuthorized handlers since SecuredActions will be all over the codebase. But the developer will generally have one CredentialsAuthController & one SocialAuthController. Using the same exception type for both usecase feels a bit misleading. re: SilhouetteException as a class |
|
It might even make sense to have the credential provider throw an InvalidPasswordException and the oauth providers throw a OAuthCanceledException |
|
Thanks for the input. I work on an update to this pull request and I'll see if I can address this issues. |
|
I've updated the pull request and the documentation. Every feedback is highly appreciated. |
|
👍👍
You might want to reorder the exceptions in the docs and pull NotAuthenticatedException & NotAuthorizedException towards the top because they'll be the most common. I'll have some time on tuesday to read through the full commit and give more feedback then. |
|
@igorbernstein Thanks. I had the same thought regarding the order of exceptions. I'll change this. Looking forward for the full review. |
|
@akkie What do you think about use I18N for exception message? it give flexibility to customize the message |
|
I'm not sure I would ever want to bubble exception messages to the user...it has the potential to leak too much info. Also, there is some value in keeping the exception messages consistent so that developers have an easier time googling for similar issues that other developers might've solved & blogged about. What messages were you thinking needed translations? edit: fix grammar & add explanation why I wouldn't want to bubble exception messages (sorry brain is still asleep) |
|
@igorbernstein the ideia is not to buble or translatie the exception message to the user otherwise i'd like to be possible to customize the message. One way to do that is use Play Message. Likely we use log to do some bigdata stuff so it's nice if we could customize the exception message because it goes to the log. That is only one idea to remove hardcode message. |
|
Play message is made for front-end and not for back-end translation. The problem is that if you would translate the exception messages, you must pass two language objects around. The one for the front-end and one for the back-end. Otherwise you log the messages in the language of the user. |
|
I would like to merge the commit. Any objections? |
|
I'm looking it over now...a couple of notes:
Other than that, it looks good to me |
|
I have choosen the name AccessDeniedException because the providers return an access denied error, so I think we should also use this name. It's also a ProviderException and it's documented in this way. I'll remove the old doc with the next pull request before the next release. |
|
Sounds good On Tue, Mar 10, 2015 at 5:24 PM, Christian Kaps notifications@github.com
|
|
LGTG 👍 |
Simplifies the exception and status code handling
This pull request simplifies the handling of the exceptions and the fallback methods to show the appropriate status codes. Previously it was confusing that the
notAuthenticatedmethod handles the401 Unauthorizedstatus code and thenotAuthorizedmethod handles the403 Forbiddenresult. Now this is completely unified:There are now three types of exceptions:
UnauthorizedException-> handles the401 Unauthorizedstatus codeForbiddenException-> handles the403 Forbiddenstatus codeAuthenticationException-> handles errors in the authentication flowThe
notAuthenticatedfallback handler was renamed toonUnauthorizedand thenotAuthorizedfallback handler was renamed tohandleForbidden.The credential based providers will now throw an
UnauthorizedExceptionif the password doesn't match or if the user couldn't be found.The exceptions do not log the errors anymore. Instead the exception handler will log an info for the
UnauthorizedExceptionand theForbiddenException. TheAuthenticationExceptionwill not be handled by the exception handler. This should be handled by the user or by the globalonErrorhandler.Any suggestion would be highly appreciated. Especially from @rfranco or @igorbernstein.