Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access to authentication #7

Open
thekid opened this issue Dec 31, 2020 · 4 comments
Open

Access to authentication #7

thekid opened this issue Dec 31, 2020 · 4 comments
Labels
question Further information is requested

Comments

@thekid
Copy link
Member

thekid commented Dec 31, 2020

Currently web handlers have access to the authenticated user via the request value named user, which is returned by the authentication flow. However, the following use-cases are not possible without workarounds:

  • Logging out the user
  • Updating the user
  • Aggregating other information alongside the user

To make this possible, a new value authentication could be passed to the request containing methods to access user and session.
@thekid thekid added the question Further information is requested label Dec 31, 2020
@thekid
Copy link
Member Author

thekid commented Dec 31, 2020
edited
Loading

This is a primitive logout implementation (abbreviated example inside App::routes()):

return [
  '/logout' => function($req, $res) use($sessions) {
    if ($session= $sessions->locate($req)) {
      $session->destroy();
      $session->transmit($res); // This is necessary with the current implementation but IMO shouldn't be
    }

    $res->answer(302);
    $res->header('Location', '/?logged-out');
  },
  // ...
}

As can be seen, it needs to know that the authentication uses a session-based approach.

@thekid
Copy link
Member Author

thekid commented Dec 31, 2020
edited
Loading

First ideas

Logout:

'/logout' => function($req, $res) {
  if ($req->value('authentication')->logout($req, $res)) {
    $res->answer(302);
    $res->header('Location', '/?logged-out');
  }
},

Updating user value:

'/' => function($req, $res) {
  $user= $req->value('user');

  // Fetch user from database
  $current= $this->repo->user($user['id']);
  $req->value('authentication')->update('user', $current);
},

@thekid
Copy link
Member Author

thekid commented Dec 31, 2020
edited
Loading

Another idea

Instead of a web.Request class, authentication could pass a class inherited from that, web.auth.Authenticated, thus simplifying the code as follows:

'/logout' => function(Authenticated $req, Response $res) {
  if ($req->logout($res)) {
    $res->answer(302);
    $res->header('Location', '/?logged-out');
  }
},
'/refresh' => function(Authenticated $req, Response $res) {
  $req->update('user', $this->repo->user($req->user()['id']));
},

However, decorating the Request class is quite cumbersome, there's quite a bit of methods to overwrite with delegating implemnetations.

@thekid
Copy link
Member Author

thekid commented Jun 30, 2024
edited
Loading

Sessions accessor

For us, this would be:

$session= $req->session(); // Returns a web.Session instance or NULL

$session->register('key', 'value');
$session->value('key');
$session->remove('key');

// Logout
$session->destroy();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thekid