Comments (16)
I looked this last night. You will definitely need to work out #39 first if what you want is per-route authentication like Hapi supports. _routeHandler
will need to have some sort of "authentication" API to query. I don't think the hook API will work for the situation; but I could be wrong about that.
from fastify.
@jsumners behind the scenes we are working it on :)
from fastify.
I think this goes with this issue. Let's say you have the following
fastify.addHook('preHandler', (fastifyRequest, res, next) => {
let authError
if (!fastifyRequest.req.headers['authorization']) {
authError = Error('missing authorization header')
fastifyRequest.log.error('unauthorized: %s', authError.message)
// res.code(401).send({})
return next(authError)
}
const authKeyParts = fastifyRequest.req.headers['authorization'].split(' ')
if (authKeyParts.len !== 2 || authKeyParts[0] !== 'bearer') {
authError = Error('invalid authorization header')
}
if (config.authorization.has(authKeyParts[1]) === false) {
authError = Error('auth key invalid')
}
if (authError) {
fastifyRequest.log.error('unauthorized: %s', authError.message)
// res.code(401).send({})
return next(authError)
}
next()
})
The client will never get a 401
because the only way to not send multiple responses is to pass an error into next()
.
from fastify.
Maybe I'm missing the point here, why you are not doing:
if (!fastifyRequest.req.headers['authorization']) {
authError = Error('missing authorization header')
fastifyRequest.log.error('unauthorized: %s', authError.message)
res.code(401).send({})
return // <=
}
?
from fastify.
Because I was under the impression that you must invoke next()
.
from fastify.
Well, it depends :)
next()
is needed to continue the fastify lifecycle, but you can "interrupt" the lifecycle at any point by closing the request and adding a return if needed :)
Maybe we can be more clear about this in the documentation.
from fastify.
I think that may be true. Anyway, the only reason I posted it to this thread is because, since I thought next()
was required, I thought there would have to be some extra work done to support ending requests with error codes other than 500 (i.e. 401 - not authorized).
from fastify.
So what is the vision for this feature @mcollina @delvedor ?
from fastify.
I do not have time to write it at this moment, and I think @delvedor would need some guidance and help. Would you like to contribute (even if it's just flashing out an initial prototype, or giving @delvedor some reviews/directions).
from fastify.
I'm willing to at least investigate if I am capable. But I need to know what the vision for the feature is. How is it supposed to work? Does it work differently than fastify-bearer-auth
?
from fastify.
the key concept are: strategies and schemas, similar to Hapi. However, the system should be fully encapsulated with plugins, while in Hapi schemas and strategies are global. I'm not sure if it's even possible :).
from fastify.
That's what I suspected. I don't think it's even necessary if it even is possible. With the current encapsulation and plugin mechanisms it is very easy to register routes under authentication and non-authentication at the same time.
from fastify.
Do you think this is fixed by #115? It might.
from fastify.
I think it is, I'm working on a jwt based plugin that uses the beforeHandler
function.
I'll show you something in the next days.
from fastify.
I've added a proof of concept here.
from fastify.
I think this can be closed, fastify-auth offers an utility to handle authorization and there are few examples, furthermore we are working on a Passport plugin.
Please reopen it if you think we should discuss more :)
from fastify.
Related Issues (20)
- Broken type inferrence with auxilliary hook handlers HOT 2
- listen() registers a callback even when listen() fails, calling the callback twice - once when it fails and again if it succeeds in a later call HOT 5
- Only automatically run workflows when a member approved them or if the PR is created by a member HOT 2
- app.close only triggers when a new request comes, resulting in 503 error HOT 7
- Missing cookie field in headers of upgrade websocket request HOT 2
- Custom bodyLimit is not taken into account, so fallback on default limit of 1MiB HOT 7
- Suggestion for Fastify 5: Required param to .send HOT 9
- Published packages contain unnecessary files HOT 3
- TypeScript error for FastifyOauth2 HOT 1
- Review on supporting schema shortened HOT 7
- Type Enhancement: Allow `FastifyPluginAsync` to return `void` (not only `Promise<void>`) HOT 2
- feat: add custom http methods HOT 1
- Migrate away from tap in all repositories HOT 5
- Empty `reply.request` in loggers.serializers.res HOT 3
- clarification on when `Reply` object is not fully constructed for `res` serializer
- Disable exposeHeadRoutes by default for fastify v5 HOT 9
- creating codemods for fastify upgrade v4 HOT 2
- Default hostname when providing a nullish `host` in listening options HOT 4
- The stream error of Openai HOT 4
- Plugins specifying a Fastify version restriction that needs updated for v5 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastify.