Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

demonstrate auth implementation by including passport? #18

Open
ashleygwilliams opened this issue Jul 5, 2015 · 6 comments
Open

demonstrate auth implementation by including passport? #18

ashleygwilliams opened this issue Jul 5, 2015 · 6 comments
Labels
enhancement

Comments

@ashleygwilliams
Copy link
Member

auth is super common in projects. what are our thoughts on adding passport to this example?
@ashleygwilliams ashleygwilliams changed the title include passport? demonstrate auth implementation by including passport? Jul 5, 2015
@jamesplease
Copy link
Member

I def. see there being value in this, so I'm down for adding it. @tkellen, I think you've thought more about auth than I have, so I'm curious to hear your thoughts.

@tkellen
Copy link

tkellen commented Jul 6, 2015

This is sorely needed. Right now we have no support for auth and no way to pass around the current user. There is a clear location for the current user to be picked up so it can be used in CRUD actions, we just haven't needed it yet.

I'm 👍 to adding passport and to getting res.user populated so we can start by adding it to the endpoints "request object".

Once we have that, we have to take it a step further and figure out a convention based way to weave that user into CRUD responsibilities.

For example, when interacting with resources and relationships, we need a hook to support checking if our user can do something.

I'm imagining that we have an allowedFor(user, method, idOrIds) hook on models (I had this in the original endpoints) that does the following:

  1. If passed user/method, returns a query builder that if executed would return all ids valid for the requested method. This can be interleaved into a read request easily to limit access to what the user can see, or used directly to get the ids so they can be operated on further.
  2. If passed user/method/id, returns a promise that resolves if the user has access and rejects if not.
  3. If passed user/method/ids --- ??? returns a promise that resolves to the valid ids? rejects if any are not allowed, while also supplying the valid ids?
  4. Allows any arbitrary "method" to be added for custom handling.

All of this will be pretty straightforward to implement, it's the documentation around usage that is going to need a lot of love.

@ashleygwilliams
Copy link
Member Author

hey so i have an auth implementation in https://github.com/artisan-tattoo/assistant-api using passport, it's verrrrrrrrrrrry simple, basically just shows how to add it, not even really use it. we could start with this and move forward?

@tkellen
Copy link

tkellen commented Jul 6, 2015

We either need to add a users table to the fantasy-database repo and update here accordingly, or use a hard-coded user/pass. Thoughts?

@ashleygwilliams
Copy link
Member Author

i think just starting with hardcoded user/pass might make it simple enough for a first go and then make it more complicated from there when we have more time to write docs (i.e. i catch up the docs to where we are at the moment)

@UmarFKhawaja
Copy link

UmarFKhawaja commented May 10, 2016
edited

Hi folks,

Where is this effort now?

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tkellen @ashleygwilliams @UmarFKhawaja @jamesplease