You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cargonauts currently has no strategy for authentication and authorization. I'm not sure exactly what the best way to proceed here is.
My preference is that these be handled somehow in the routing layer, before the "api trait" gets hit. For basic use case of auth, controlling whether a user can access an end point, this seems fairly simple. But for more complex case, where authentication determines which response a user receives at an endpoint (for example, having a singleton resource like a Cart which has the current user's shopping cart), its much less clear how to create a clean API.
I think the best approach might be to disallow this kind of authentication based routing except for "entrypoints." Entrypoints are a future feature in which the author can designate a particular route as pointing to a particular endpoint (in general, routes are auto-generated), so that they can access it to begin traversing the API. The internal API for entrypoints can include the ability to pass auth info as a part of determining which resource the entrypoint accesses; from that point on, all routing will be fully qualified by the URL path.
The text was updated successfully, but these errors were encountered:
cargonauts currently has no strategy for authentication and authorization. I'm not sure exactly what the best way to proceed here is.
My preference is that these be handled somehow in the routing layer, before the "api trait" gets hit. For basic use case of auth, controlling whether a user can access an end point, this seems fairly simple. But for more complex case, where authentication determines which response a user receives at an endpoint (for example, having a singleton resource like a
Cart
which has the current user's shopping cart), its much less clear how to create a clean API.I think the best approach might be to disallow this kind of authentication based routing except for "entrypoints." Entrypoints are a future feature in which the author can designate a particular route as pointing to a particular endpoint (in general, routes are auto-generated), so that they can access it to begin traversing the API. The internal API for entrypoints can include the ability to pass auth info as a part of determining which resource the entrypoint accesses; from that point on, all routing will be fully qualified by the URL path.
The text was updated successfully, but these errors were encountered: