Skip to content
This repository has been archived by the owner on Nov 16, 2020. It is now read-only.

consider including JWT by default #53

Closed
tanner0101 opened this issue Aug 13, 2018 · 5 comments
Closed

consider including JWT by default #53

tanner0101 opened this issue Aug 13, 2018 · 5 comments
Labels
enhancement New feature or request
Projects
Vapor 4

Comments

@tanner0101
Copy link
Member

Providing a JWT auth middleware by default could be a nice addition to this package. Vapor's JWT package would be a lightweight dep since Auth already relies on Crypto.

final class JWTAuthenticationMiddleware<U>: Middleware where U: Authenticatable & JWTPayload {
    let signer: JWTSigner

    init(_ type: U.Type, signer: JWTSigner) {
        self.signer = signer
    }
    
    /// See `Middleware`.
    func respond(to req: Request, chainingTo next: Responder) throws -> EventLoopFuture<Response> {
        // fetches the token from `Authorization: Bearer <token>` header
        guard let bearer = req.http.headers.bearerAuthorization else {
            // no authorization header, pass along un-authenticated request
            return try next.respond(to: req)
        }
        
        // parse JWT from token string, using configured signer
        let jwt = try JWT<U>(from: bearer.token, verifiedUsing: signer)
        try req.authenticate(jwt.payload)
        
        // pass along authenticated request
        return try next.respond(to: req)
    }
}
@tanner0101 tanner0101 added the enhancement New feature or request label Aug 13, 2018
@0xTim
Copy link
Member

0xTim commented Aug 14, 2018

I disagree with this - it pulls in yet another dependency that a large number of people wouldn't use. People on web won't use JWT and I personally don't like it for doing API auth either - JWT is pretty terrible for authenticating users, since you can't blacklist tokens or sign users out etc.

My (highly opinionated) $0.02 😆

@tanner0101 tanner0101 mentioned this issue Aug 14, 2018
Closed
@tholo
Copy link

tholo commented Aug 17, 2018

Not so sure about the "can't blacklist tokens" and "sign users out" parts of your argument -- a "normal" implementation of JWT is that you use a short-lived token (typically a few minutes at most), with a database-backed "refresh token", and if the latter is revoked then you won't be able to get a new JWT token without logging in again. So you have been effectively signed out / blacklisted.

That said, the middleware should probably be added to the JWT package and not to the Auth one?

@valeriomazzeo
Copy link

Vapor is not necessarily a dependency on vapor/jwt nor is Authentication.

It would make more sense to have another package vapor/auth-jwt which depends from:

  • vapor/auth
  • vapor/jwt

This new repository essentially would be a Vapor 3 version of vapor-community/jwt-provider which has been deprecated leaving everyone that was using it absolutely without an alternative.

See also vapor/jwt#87

@valeriomazzeo
Copy link

This provides a similar functionality to the old vapor-community/jwt-provider: https://github.com/asensei/vapor-auth-jwt

@0xTim
Copy link
Member

0xTim commented Jan 31, 2019

Closing due to inactivity - feel free to reopen!

@0xTim 0xTim closed this as completed Jan 31, 2019
@tanner0101 tanner0101 added this to Done in Vapor 4 Feb 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Vapor 4
  
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tholo @tanner0101 @valeriomazzeo @0xTim