-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attempt to authenticate tokens without X-Token-Type #7
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All looks good.
Add test for multi-auth skipping JWT Restructure test code into separate sources
@CameronMcWilliam FYI, I realised I had not added a test for type-safe JWT middleware in the absence of the While adding that I discovered that the test for skipping authentication was wrong: it was actually rejecting the JWT because we hadn't set up a verifier with Having two Codable routes registered to a path isn't a good idea as you could end up with multiple responses in the same body, and the last one that executes dictates the response status. So I've replaced those routes with a single route that uses |
This PR aims to simplify use of this plugin with third party clients that send a standard
Authorization
header but do not supply our customX-token-type
header.Resolves #6
Current
Credentials
behavior is:next()
)unauthorized
response is sent)The token plugins decide whether to pass or attempt authentication based on the
X-token-type
header:X-token-type
==JWT
, it will attempt to authenticate theAuthorization
header and either succeed or fail.X-token-type
is a value other thanJWT
, it will pass (defer to other plugins).X-token-type
is not set, it will attempt to authenticate theAuthorization
header and either succeed, or pass (defer to other plugins). This is the new behavior introduced here.It is important that it passes (rather than failing) in the case where the X-token-type is not set, as this can be considered a 'speculative' attempt which could really be intended for another plugin.