Comments (1)
One thing we need to decide is if we do user record management or not. Our current NextAuth system attempts to do so, but It will be much easier for us not to. I suggest that we simply accept and decode JWTs from any source (where decoding tools or configuration are provided), but leave their interpretation up to the developer.
We can provide plugins for popular auth providers that perform validation using the provider’s own libraries if available. For example:
Developers can provide their own JWT plugins using an API that we document. The API should allow for the plugin to run arbitrary code to decode the JWT, since providers often rotate signing keys and provide SDKs to handle that automatically.
It’s entirely possible that a developer will want to accept JWT from any number of providers. In that case, we should provide a name for each provider that we support (or they support themselves), and pass that along with the decoded JWT to routes or policies that use them. With that, the developer can write code to implement things like “Users authenticated with the Firebase plugin that have custom claim ‘foo’ may invoke this route” or “Users authenticated using the Google plugin whose ‘sub’ (uid) claim is present in an entity query may invoke this route”. It also allows developers to “link” the same end user with multiple auth providers by associating a pair of provider ID / claim within a per-user entity. For example, a UserAuth entity might have the following structure:
class UserAuth extends ChiselEntity {
// identifies a unique end user to the application
uid: string
// provider ID they auth’d with (e.g. “google”, “facebook”)
provider: string
// value of the claim that identifies them to the provider
providerUid: string
}
With this, code can be written to query UserAuth using information from a decoded JWT to find out which logical end user is making the request.
Availability in ChiselRequest
The following Auth type could be provided in ChiselRequest and policies:
interface Auth {
// provider ID, e.g. “google”
provider: string
// decoded JWT
jwt: Jwt
}
interface Jwt {
header: JsonObject
payload: JsonObject
}
type JsonValue =
| string
| number
| boolean
| JsonObject
| JsonArray;
interface JsonObject {
[key: string]: JsonValue;
}
interface JsonArray extends Array<JsonValue> { }
Here’s how the JWT might surface in a route handler:
async (req: ChiselRequest) => {
// defined only if a JWT was decoded from Authorization
const auth: Auth? = req.auth
if (auth === undefined) {
// Auth required, return 403
}
const provider = auth.provider
const jwt = auth.jwt
// sub uniquely identifies the user to the provider
const providerUid = jwt.header.sub
// look up app user record using provider and sub
const user = await AuthUser.findOne({ provider, providerUid })
// decide if the user should be allowed to do whatever
}
from chiselstrike.
Related Issues (20)
- Feature: More graceful handling of policy code that can’t be optimized
- Making policy function async causes chiseld to crash without recovery
- Support use of === operator in policy code
- Support debug logging in policy code
- Policy API should allow normal representation of HTTP headers during access
- Build requires native OpenSSL
- give meaningful error message when model contains duplicate fields
- CRUD responses in HATEOAS format HOT 1
- Support projections (field allowlist) in entity queries HOT 5
- ERR! code ENOSPC HOT 4
- ChiselStrike is breaking on WSL2 HOT 1
- Possible to support EdgeDB? HOT 4
- Doesn't run from example HOT 4
- Support WebSocket endpoints HOT 1
- Proposal: nanoid instead of uuid
- Relationships: create a blogpost referencing existing author? HOT 2
- Build into desktop app
- Support working with pnpm
- events persistence: not-consumed are lost after restart HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chiselstrike.