Provide a way to retrieve verifying secret at runtime using connection information

[rbino]

Hi,
I'm using Guardian to perform authentication on some APIs. Those APIs are only responsible of verifying JWTs, so they just have access to the public key as those tokens are emitted and signed by a third party.

To support multitenancy, I have some code similar to this in my application (the :current_tenant in the conn gets populated by another upstream plug which in turn populates it based on the slug in the path):

defmodule MyAppWeb.VerifyHeader do
  alias Guardian.Plug.VerifyHeader, as: GuardianVerifyHeader
  alias JOSE.JWK

  def init(opts) do
    GuardianVerifyHeader.init(opts)
  end

  def call(conn, opts) do
    secret = get_secret(conn)

    merged_opts =
      opts
      |> Keyword.merge(secret: secret)

    GuardianVerifyHeader.call(conn, merged_opts)
  end

  defp get_secret(conn) do
    public_key = conn.assigns[:current_tenant].public_key
    case JWK.from_pem(public_key) do
      %JWK{} = secret ->
        secret        
      _ ->
        nil
    end
  end
end

and then I use MyApp.VerifyHeader instead of Guardian.Plug.VerifyHeader.

Now, all of this works for my specific usecase, but I feel that it would be nice to have something similar to the Guardian.Token.Jwt.SecretFetcher at the Plug level, so you could retrieve different secrets at runtime based on information contained in the Plug.

I assume this could be implemented as a behaviour where you have to implement the fetch_verifying_secret function, or you could pass an MFA to Guardian.Plug.VerifyHeader. I'd be interested on submitting a PR if you think this feature could be useful (in that case let me know which of the approaches you'd prefer).