Hello
Can i use http://vibed.org/api/vibe.web.auth/ for authentication of registred REST interfaces or it is designed to work only with Web interfaces? I see only examples of such usage.
If i can not use it with REST, how can should i handle it in that case? With "@before"?
Regards
holo
Edit button could be helpfull :)
I'm asking about it because of stateless application (using JWT tokens). With this authentication framework we won't have access to req and res for e.g. mobile applications. How to handle authentication in such cases?
On Wed, 20 Sep 2017 21:46:33 GMT, holo wrote:
Hello
Can i use http://vibed.org/api/vibe.web.auth/ for authentication of registred REST interfaces or it is designed to work only with Web interfaces? I see only examples of such usage.
If i can not use it with REST, how can should i handle it in that case? With "@before"?
Regards
holo
Yes, it's actually usable with the REST interface generator, too, and works just like for web interfaces. But examples are indeed still missing - I'll add one for the next release.
However, there are currently two caveats. @noRoute is only supported for REST interfaces on the current master branch, and there is a bug in conjunction with the Collection!I feature (#1922). I'll tag a new alpha release of 0.8.2 in the coming days with fixes included.
On Thu, 21 Sep 2017 09:46:59 GMT, holo wrote:
Edit button could be helpfull :)
I was thinking about allowing edits within a few minutes (maybe two to four). The problem is that it needs to stay reasonably compatible with NNTP based access, which doesn't support edits. This means that the original message would need to be deleted and a new one is created instead. This in turn would break the references and thus the threading of existing replies, because the new message must also have a new ID.
On Thu, 21 Sep 2017 10:07:11 GMT, Sönke Ludwig wrote:
On Wed, 20 Sep 2017 21:46:33 GMT, holo wrote:
Hello
Can i use http://vibed.org/api/vibe.web.auth/ for authentication of registred REST interfaces or it is designed to work only with Web interfaces? I see only examples of such usage.
If i can not use it with REST, how can should i handle it in that case? With "@before"?
Regards
holoYes, it's actually usable with the REST interface generator, too, and works just like for web interfaces. But examples are indeed still missing - I'll add one for the next release.
However, there are currently two caveats.
@noRouteis only supported for REST interfaces on the current master branch, and there is a bug in conjunction with theCollection!Ifeature (#1922). I'll tag a new alpha release of 0.8.2 in the coming days with fixes included.
Thank You for helping! I have another question according to auth framework:
How to handle stateless tokens with it? For example from mobile applications which are not using sessions? So we do not have access to res and req variables, and authenticate function require it to work (or maybe im missing something?)?
Maybe there could be good to add second REST authentication function which is not forceing
scope HTTPServerRequest req, scope HTTPServerResponse res
parameters but instead you can use parmHeader(auth, Authentication) or something like that eg:
static struct AuthInfo {
string JWTToken;
Json payload = decrypt(JWTToken);
bool isAdmin() { return this.payload["admin"]; }
bool isEditor { return this.payload["editor"]; }
}
@noRoute AuthInfo authenticate(parmHeader(auth, Authentication)) {
if(verify(auth)
return AuthInfo(auth);
throw new HTTPStatusException(HTTPStatus.unauthorized);
}
Please correct me if im misunderstanding something according to stateless applicationa and access to req and res variables.