-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Callback should act like a Slim middleware. #29
Comments
Or you can save the token into container. Although I do like the idea of adding decoded token contents into the $app = new \Slim\App();
$container = $app->getContainer();
$container["jwt"] = function ($container) {
return new StdClass;
};
$app->add(new \Slim\Middleware\JwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub",
"callback" => function ($request, $response, $arguments) use ($container) {
$container["jwt"] = $arguments["decoded"];
}
])); |
The reason why I do not like this approach is, that I would need to pass the whole DIC to my controller and I rather only pass the dependencies that are needed directly. Otherwise my class could pull out whatever out of there without anyone on the outside knowing. On top of that this requires to pass the DIC to pretty much every controller (that handles a protected route, that is) :c //EDIT: (Quick brainfart before bed) That way every user can access the token and decoded object the same way and has access to the arbitrary information of their callback under a given key in the jwt_auth array. |
Can you check if fb8541c fixes your problem. I am still thinking about possibility of callback returning either |
Because I had to move my project forward, I wrote my own middleware that adds all the information I need to the request:
That being said: Assuming I now have a "resolve Account by token" function somewhere (which I do) I would still in every route that needs the account information (e.g. for permission checks) to have to resolve this. That is still a lot of routes. Very much possible. However, I still think it would be helpful for the user to attach additional information to the "attribute" that you are now supporting using the callback. If you have a better suggestion how you would resolve my requirement, please go ahead, I would rather switch back to using your middleware :) |
To me it sounds like what you are doing it outside of the scope of this middleware. It was never meant alter the request object, just authenticate and provide the decoded token. What happens after that is up to the developer. I think what you did is the correct solution, another middleware which does the authorisation part. But like I said, I am still pondering about possibility of |
Well I am not asking for your middleware to "do these things". Now that you have added the token to the request, the user gets a lot of more options and I could solve my problem with it. But as the callback is right now, I do not see many use cases for it. There is no chance to really transport something out of the callback function unless you store it in a global place, which is usually a bad idea. Middleware has access to the Request and Response and has the option to modify it. This is what you are offering. My suggestions above are mere suggestions that resolve my issue of "access to the token before it reaches the dispatched method and actually making the processing result accessible to every method that is protected by the middleware". I do not really like the callback returning false [request, response] thing either. In Python its more natural to return tuples. Hence you can also |
With 3.x branch you can currently do something like: $app->add(new \Tuupola\Middleware\JwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub",
"before" => function ($request, $response, $arguments) {
return $request->withAttribute("test", "test");
}
])); |
I'm using this middleware to verify a token.
In addition to that, I would like to resolve the user account the token has been issued to and attach this to the request, so that the controller function that is called for the given route has access to the user account.
Using this middleware and the callback method, I have no way of manipulating the $request like middleware does.
I also had a quick chat with Akrabat on the Slim IRC:
Suggestions:
if the decoded token is added to the Request's attributes, a Middleware following this one can access the decoded token and do as it pleases. However, that makes the second middleware depended on this one.
change callback or add another callback option that makes the provided function act like a middleware and return the call to $next($request, $response). In this case the function has to handle the error on its own, while it of course would be nice to keep the error handling in this middleware to keep it consistent. Alternatively allow throwing an Exception that will be caught.
have callback return
false
or an array($request, $response).On
false
return the error response like before.On
null
ortrue
call $next($request, $response) like nothing happenedand if the array is returned call $next($request, $response) with the values of the array.
Please discuss if you can see other solutions, this was just a quick draft of the top of my head as I have to rush now.
I can play with this more extensively tomorrow and provide a pull request if requested.
The text was updated successfully, but these errors were encountered: