-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: Allow all users and inject headers for authenticated users at the same time #279
Comments
Does caddy-security/go-authcrunch support anonymous users and authenticated users at the same time? Think of a public site like HN, where the page shows to public and authenticated users, but authenticated users have additional abilities like voting and replying. |
@infogulch , this is better supported by caddy’s route matcher. Create a matcher that meets a specific condition that does not require authorization. You can use bypass uri to exclude a particular path prefix, but it needs to be something like /public/ |
Ok, but I still want caddy-security to decode the jwt and add headers like I have it configured to do when the user is logged in. Can it do that? |
@infogulch , youz want to grant “guest” user access without authentication? What would you decode if a user did not authenticate? |
Yes. My preference would be to omit headers that require a decoded token value entirely and add a different header like Could also set them to empty string or some other chosen default. |
What do you think, is this a reasonable thing to do? |
@infogulch , there is a pending feature request for this. in short, if a token not found, then a user gets “anonymous” token by way of multiple redirects, but I never implemented it. |
I want to manage authorization inside my application, which responds differently to public and authenticated users based on their logged-in status.
I tried
bypass uri /
but that just aborts all attempts to authenticate and fails to process the header injections.How can I allow all requests through, while processing and injecting headers for requests that are already authenticated?
Related: #278
The text was updated successfully, but these errors were encountered: