Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auth header callback option for UserALE #397

Closed
EandrewJones opened this issue Jan 17, 2024 · 0 comments · Fixed by #398
Closed

Add auth header callback option for UserALE #397

EandrewJones opened this issue Jan 17, 2024 · 0 comments · Fixed by #398

Comments

@EandrewJones
Copy link
Contributor

Problem

The current method of adding an authentication header to UserALE is static. The user sets the value as a string once when first configuring userale options, e.g.

userale.options({
    ...
    authHeader: `Bearer ${token}`, // <---- update token here
});

These are then sent as part of the POST requests to whichever back-end persistence endpoint was set. The problem is most authentication systems have a TTL on tokens and they may expire as frequently as every 30 mins or sooner. Therefore, the POST requests will fail because the token has expired.

Many auth systems will automatically refresh the token in the client's browser. We need an agnostic and dynamic way to update userALE's authHeader without forcing the user to reset the options every time there's an expiration.

Solution

We can allow users to register an authHeader callback function which fetches the current token and returns it as a properly formatted string (depending on which authentication method they're using on their back-end). This function would then be used in a pre-send hook, where we first fetch a non-expired token and then update the current authHeader field with it.

By following a strategy pattern, all we need to do is "enforce" the desired interface the callback function should follow. Then users can include whatever business logic is needed to achieve the token fetching. Of course, it's a bit tough to strictly enforce a function interface without Typescript, but we can document the pattern.

For end users, it would be as simple as:

const authCallback = (): string => {
  // Business logic here
  return `Bearer ${token}`
}

userale.registerAuthCallback(authCallback)

Pros

This is a simple and clean pattern for handling the token refresh lifecycle (or other challenges) without making any assumptions about which auth approaches end users are using. All we're assuming here is:

  1. they are utilizing the authHeader in some way; and
  2. it needs to be dynamically updated.

Cons

If the authCallback is async because it needs to make a network request, as opposed to say fetching a token directly from the browser, this would add some over-head to the rate at which we POST logs. However, it's better than an alternative where the headers go stale, POST requests 401, and users lose data.
EandrewJones added a commit to EandrewJones/flagon-useralejs that referenced this issue Jan 17, 2024
@EandrewJones
apache#397 adds registerAuthCallback function using strategy pattern;…
c025686 
… adds tests
@EandrewJones EandrewJones mentioned this issue Jan 17, 2024
Merged
Jyyjy added a commit that referenced this issue Jan 24, 2024
@Jyyjy
Merge pull request #398 from EandrewJones/#397-Add-auth-header-callba…
8b07420 
…ck-option

#397 Add authHeader callback option
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#397 Add authHeader callback option EandrewJones/flagon-useralejs
1 participant
@EandrewJones