fix: Improve authentication parameter handling #1333
Conversation
packages/authentication/src/jwt.ts
Outdated
| @@ -42,7 +42,6 @@ export class JWTStrategy extends AuthenticationBaseStrategy { | |||
| throw new NotAuthenticated(`Could not find entity service`); | |||
| } | |||
|
|
|||
| // @ts-ignore | |||
| return entityService.get(id, params); | |||
There was a problem hiding this comment.
Correct me if I'm wrong, but I think there's another edge case hiding here.
Say the client calls app.authenticate({ strategy: 'jwt', accessToken }) - which, for example, my app does on initial render (I think that's mandatory to authenticate the socket?). That calls strategy.authenticate(), which calls this.getEntity(entityId, params) passing all of the params through. But entity can't be resolved from an external call if it's unauthenticated – authenticate() hook is skipped, but restrictToOwner or any custom logic looking at the user object is not skipped. This is why I had to resort to differentiating between internal and external calls in my "patched" jwt strategy:
class CustomJWTStrategy extends JWTStrategy {
async getEntity(id, params) {
const { entity } = this.configuration
const entityService = this.entityService
if (entityService === null) {
throw new errors.NotAuthenticated(`Could not find entity service`)
}
const result = await entityService.get(id, omit(params, ['provider', 'query']))
if (params.provider) {
return entityService.get(id, { ...omit(params, 'query'), [entity]: result })
} else {
return result
}
}
}There was a problem hiding this comment.
Yup, that makes sense, will add it to this PR.
There was a problem hiding this comment.
Allright, it should be updated to work the same for both, the local and JWT strategies.
There was a problem hiding this comment.
Amazing. This all looks good to go to me.
There was a problem hiding this comment.
Thanks daffi but not only authentication service suffers from this (NotFound Error) on service entities (while app.services is returning all of them intact and in place!!) still exists on feathers via socketio (express is fine) I have had to handle it via socket common hook (like it's authorization!!) which is not the reason i rushed toward feathers in the first place , which was integration.
There was a problem hiding this comment.
I'm not exactly sure what you mean. A separate issue with a small example to reproduce would be helpful.
There was a problem hiding this comment.
OK, sure . just wanted to say thanks , great job and the rest I'll issue.
For #1324 4), 5), 6) and 7) and should close #1320