Comments (6)
schrockwell
commented on August 18, 2024
Hi @elieteyssedou! Please note that the result of the authorization check has no intrinsic meaning to the web layer – that's up to you. See the Controllers section of the readme for an example of how to return a 403 from {:error, :unauthorized}.
from bodyguard.
elieteyssedou
commented on August 18, 2024
Hi @schrockwell,
Thank you for you reply. Yeah, I understand that, but it is strongly linked to the response you will send back in the web layer, don't you think ? Plus, I somewhere in my app I have an authentication mechanism including an {:error, :unauthorized} as it should be for authentication, I won't be able to match on that error for returning 401, because of default configuration of Bodyguard (that makes me match on :unauthorized error to send 403 Forbidden).
I had this exact problem and my only way to fix it properly was to render manually my 401 error when I had to... It means that depending of the execution (while testing authentication or testing authorization), {:error, :unauthorized} will cause 401 OR 403. So, you can't rely on {:error, :unauthorized} to be sure that a 401 or 403 will be rendered... It depends on where the match will take place.
I don't know if my explications are all clear ?
from bodyguard.
schrockwell
commented on August 18, 2024
You are able to return any error reason directly from an authorize/3 callback, so you could explicitly return {:error, :forbidden} instead of false. Is that too much of a pain?
Alternatively, I could add a config option to make the default error customizable. For example:
config Bodyguard,
default_ok: :ok,
default_error: :unauthorizedfrom bodyguard.
elieteyssedou
commented on August 18, 2024
Yeah, I think a default error customizable would be great ! It is not something mandatory and without it I would still use bodygard, but if I were able to configure this, it would remove my only frustration about this library.
I really like to use the booleans to authorize or not an action and be confident that it will be handled the right way by my controllers. :) I will may be use this feature that way : default_error: :bodyguard_unauthorized (or something very specific), to handle it properly.
What do you think ?
from bodyguard.
schrockwell
commented on August 18, 2024
Published in 2.3.0! See the config section near the bottom of the README.
from bodyguard.
elieteyssedou
commented on August 18, 2024
Oh nice, will update soon ! Thanks
from bodyguard.
Related Issues (20)
- Add changelog HOT 1
- Bodyguard.Plug.Authorize default action to Phoenix action_name(conn)? HOT 10
- Update README to mention Plugs and Actions
- Support dynamic `params` on the `Bodyguard.Plug.Authorize` plug HOT 5
- Add default config for Bodyguard.Plug.Authorize plug options HOT 2
- Thoughts on scope/4 HOT 1
- Return type of Bodyguard.Authorize.init/1 HOT 2
- Overriding schema in `scope/4` appears to be broken? HOT 1
- Accept {module, function} config for callback functions HOT 1
- Support for strong parameters? HOT 2
- Overriding plug HOT 1
- Please add example for using plugs with fallback controllers HOT 2
- Anonymous Function Example Broken? HOT 4
- Cut Release? HOT 1
- Compilation warnings on Elixir 1.11 HOT 2
- Need help to maintain bodyguard? HOT 12
- Update deps
- Type spec too restrictive?
- Allow to return `{:ok, data}` from authorize callbacks? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bodyguard.