On Thu, 21 Sep 2017 10:07:11 GMT, Sönke Ludwig wrote:
On Wed, 20 Sep 2017 21:46:33 GMT, holo wrote:
Hello
Can i use http://vibed.org/api/vibe.web.auth/ for authentication of registred REST interfaces or it is designed to work only with Web interfaces? I see only examples of such usage.
If i can not use it with REST, how can should i handle it in that case? With "@before"?
Regards
holoYes, it's actually usable with the REST interface generator, too, and works just like for web interfaces. But examples are indeed still missing - I'll add one for the next release.
However, there are currently two caveats.
@noRoute
is only supported for REST interfaces on the current master branch, and there is a bug in conjunction with theCollection!I
feature (#1922). I'll tag a new alpha release of 0.8.2 in the coming days with fixes included.
Thank You for helping! I have another question according to auth framework:
How to handle stateless tokens with it? For example from mobile applications which are not using sessions? So we do not have access to res and req variables, and authenticate function require it to work (or maybe im missing something?)?
Maybe there could be good to add second REST authentication function which is not forceing
scope HTTPServerRequest req, scope HTTPServerResponse res
parameters but instead you can use parmHeader(auth, Authentication) or something like that eg:
static struct AuthInfo {
string JWTToken;
Json payload = decrypt(JWTToken);
bool isAdmin() { return this.payload["admin"]; }
bool isEditor { return this.payload["editor"]; }
}
@noRoute AuthInfo authenticate(parmHeader(auth, Authentication)) {
if(verify(auth)
return AuthInfo(auth);
throw new HTTPStatusException(HTTPStatus.unauthorized);
}
Please correct me if im misunderstanding something according to stateless applicationa and access to req and res variables.