-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Required to annotate with @authenticate for all the routes! #2460
Comments
A whitelist effectively? I do think that is a nice to have(if not already). Low priority. |
So, is it nice to have all paths which may go up to any number (in my case around 30) and all to be annotated with @authenticate !?. How about the case when there is just one strategy and all the paths (ignore my mention about one or two paths and assume all paths) needs to be authenticated with that strategy Also, is it good way - for example if for some reason, if someone forget to annotate, than that path will be public. Unless I missed something, I feel I am asking a very simple question about a common scenario that many will be facing. |
@vishalvisd I also discussed with team about having a controller class decorator that sets one authentication strategy for all the methods. Will update the progress here when we start, now as a workaround, you can hardcode what strategy to return in the strategy resolver, see this example. In the example above, the strategy resolver returns the strategy according to a controller function's metadata, in your case you can just ignore the metadata and return the particular strategy you want. |
I know about this, but this need to still annotate all routes which I think is not a workaround. Thanks for taking it up for discussion, hope to see an update on this soon. Loopback is a great framework and I really appreciate the effort you guys are putting into it! |
We can use the same pattern as The decorator allows to be applied at both |
Related to #1334 |
I need some time to study the interceptors pattern being recommended here, to understand how this would be implemented... But in the meantime, here are some things we need to consider: If we have the If we want a few controller methods to There's a PR in the works about how So authentication with default options, the decorator parameters at the class level would look like this:
No options are passed as a second parameter (no need to, the strategy class loads defaults) If user wants to override some default option for a specific authenticated controller function, then
@jannyHou, @raymondfeng , what are your thoughts on this? thanks |
@emonddr Good idea to list various combinations. In general, the class level provides default settings and the method level can override it. To make things simple, I suggest the following:
|
Thanks @emonddr for the summary,
I think Raymond means the class or method decorator can be created like this. And I am good with @raymondfeng 's proposal:
I think the class level decorator can still take options, like each controller has its own configurations. We can leverage |
Moving to Q4. |
See #3762 |
Closing as done. |
Current Behavior
I have to annotate all of my controller routes with @authenticate('startegry_name'), but in my case I just have a single strategy and don't like the compulsion of adding the @autheticate annotation to each of my 20-30 routes. Though, one or two routes are there where I don't need any authentication and should be available for public.
Expected Behavior
Would be better if there is a way to have authentication default for all routes except for one or two. IF there is already some sort of way available please let me know what would be that.
Acceptance criteria
@authenticate
, the method would use the metadata as is without checking the class@authenticate
, the method would check the class level@authenticate.skip
or@authenticate('skip')
to exclude a method to inherit@authenticate
from the classThe text was updated successfully, but these errors were encountered: