You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 16, 2020. It is now read-only.
Providing a JWT auth middleware by default could be a nice addition to this package. Vapor's JWT package would be a lightweight dep since Auth already relies on Crypto.
finalclassJWTAuthenticationMiddleware<U>:Middlewarewhere U:Authenticatable&JWTPayload{letsigner:JWTSignerinit(_ type:U.Type, signer:JWTSigner){self.signer = signer
}/// See `Middleware`.func respond(to req:Request, chainingTo next:Responder)throws->EventLoopFuture<Response>{// fetches the token from `Authorization: Bearer <token>` header
guard let bearer = req.http.headers.bearerAuthorization else{// no authorization header, pass along un-authenticated requestreturntry next.respond(to: req)}// parse JWT from token string, using configured signerletjwt=tryJWT<U>(from: bearer.token, verifiedUsing: signer)try req.authenticate(jwt.payload)// pass along authenticated requestreturntry next.respond(to: req)}}
The text was updated successfully, but these errors were encountered:
I disagree with this - it pulls in yet another dependency that a large number of people wouldn't use. People on web won't use JWT and I personally don't like it for doing API auth either - JWT is pretty terrible for authenticating users, since you can't blacklist tokens or sign users out etc.
Not so sure about the "can't blacklist tokens" and "sign users out" parts of your argument -- a "normal" implementation of JWT is that you use a short-lived token (typically a few minutes at most), with a database-backed "refresh token", and if the latter is revoked then you won't be able to get a new JWT token without logging in again. So you have been effectively signed out / blacklisted.
That said, the middleware should probably be added to the JWT package and not to the Auth one?
Vapor is not necessarily a dependency on vapor/jwt nor is Authentication.
It would make more sense to have another package vapor/auth-jwt which depends from:
vapor/auth
vapor/jwt
This new repository essentially would be a Vapor 3 version of vapor-community/jwt-provider which has been deprecated leaving everyone that was using it absolutely without an alternative.
Providing a JWT auth middleware by default could be a nice addition to this package. Vapor's JWT package would be a lightweight dep since Auth already relies on Crypto.
The text was updated successfully, but these errors were encountered: