Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

need ACL support for basic authentication middleware #112

Closed
missedone opened this issue Dec 27, 2014 · 7 comments
Closed

need ACL support for basic authentication middleware #112

missedone opened this issue Dec 27, 2014 · 7 comments

Comments

@missedone
Copy link

Hi ant0ine

go-json-rest is quite well that help me quickly get my simple restful service working, i added basic auth middleware to the restful interfaces.
now i want to add ACL support so that, for example, only Admin can have POST/PUT/DELET privileges while User can only GET.
but the Authenticator signature: Authenticator: func(userId string, password string) bool, only pass the user name and password while i want more context, e.g. Method, URI, etc.

so i think we can simple pass one more parameter request *Request to it: Authenticator: func(userId string, password string, request *Request) bool (I copied the auth_basic.go and modify it to fit my ACL need locally), but i think this could be common if people need ACL support.
@missedone missedone mentioned this issue Dec 27, 2014
Closed
@ant0ine
Copy link
Owner

ant0ine commented Dec 27, 2014

Hi,

I like the idea! Unfortunately, this is an API change. This project follows "Semver", breaking API changes are allowed only with major version changes. So, I'll keep this change for the v3.0.0. BTW, I'm currently planning the v3, the ideas are here: #110

@missedone
Copy link
Author

thanks, i'll keep an eye on v3 roadmap:)

@ant0ine
Copy link
Owner

ant0ine commented Jan 4, 2015

Thinking more about this, I think it would be nice to dissociate the two steps:

  1. Authentication
  2. Authorization
    Once the users are known, check their permissions for this given request.
    We could add an optional callback to this middleware like this:
        Authorizator func(userId string, request *Request) bool

The will be executed after a successful call to Authenticator.

This has the benefit to be backward compatible. But the authorization is still required for all requests.

@missedone
Copy link
Author

Hi Antoine

agreed, that's the right approach, authorization will proceed only if the
callback is injected.

Thanks & Best Regards!

              ///
             (. .)

--------ooO--(_)--Ooo--------
| Nick Tan |

On Sun, Jan 4, 2015 at 1:53 PM, Antoine Imbert notifications@github.com
wrote:

Thinking more about this, I think it would be nice to dissociate the two
steps:

  1. Authentication
  2. Authorization
    Once the users are known, check their permissions for this given request.
    We could add an optional callback to this middleware like this:
    Authorizator func(userId string, request *Request) bool

The will be executed after a successful call to Authenticator.

This has the benefit to be backward compatible. But the authorization is
still required for all requests.


Reply to this email directly or view it on GitHub
#112 (comment)
.

@ant0ine
Copy link
Owner

ant0ine commented Jan 12, 2015

@missedone The PR is there: #122 I'll merge that soon.

@missedone
Copy link
Author

@ant0ine that looks good to me, thanks:)

@ant0ine
Copy link
Owner

ant0ine commented Jan 12, 2015

merged, closing this issue.

@ant0ine ant0ine closed this as completed Jan 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ant0ine @missedone