Comments (7)
@GJordao, this would be a great addition and it would give a lot of flexibility for different purposes.
For a first version that supports just one middleware, using a env variable URL should be Ok.
This feature could also halt the JWT generation if we don't add some kind of protection from middleware unexpected behaviour.
The basic JWT token generation can be delayed but should not be stopped when middleware fails (this requires more discussion).
Suggestion:
Add env variables:
payloadMaxWaitTime
to mitigate/protect from unresponsive middleware.payloadMaxSize
to limit the expected response size from the middleware.
from simple-auth.
That's a good point. The token should not get generated. The service should fail with a clear timeout of the dependency.
Let's remember this API is to be used by another service and it's not a public facing API, so failing clearly is the priority.
To be honest, the payloadMaxSize
does nothing for me either, but I can Imagine it being useful to some people. My thought process was that it can't hurt to add, but if I understand your perspective, you'd prefer to not add the complexity. Am I reading you right @GJordao ?
from simple-auth.
This sounds good, should we allow users to specify an env variable URL where we would fetch that data and expect a certain format (an object with payload for example)?
@MicroAnibal what do you think?
from simple-auth.
I'd say let's @MicroAnibal 's suggestion is pretty good. Let's do that and see how it flows?
from simple-auth.
Not sure if I agree fully. If the middleware is unresponsive do we still generate the token? I think an error should occur to let the users know something is up with service. Creating the token but then not having information the users might need will only create more problems. Ex: token contains permissions, if we generate the token without that payload users might not have access to stuff they need.
As for max size if the users are the ones defining the max size they should just check it on their middleware I suppose. I don't see a point in giving user that control since they already have control on the middleware
from simple-auth.
Yup that's essentially it
from simple-auth.
We can go ahead and implement this:
- Add env variable that specifies the URL to call
- On the login endpoint call that URL
- If the call fails return an error to the user and don't generate the token
- If the call is successful add that payload to the jwt token
from simple-auth.
Related Issues (15)
- JWT token support HOT 2
- feature request: ability to select the hashing algorithm
- Feature request: Support OAuth flows
- Feature Request: Structured Logging
- Feature Request: DB BACKED ACTIVITY LOG
- Feature Request: 2FA support HOT 1
- PASSWORD_RESET_URL is required but it shouldn't
- Use node 14.x (LTS) in Dockerfile HOT 3
- Add max number of tries for logins HOT 2
- Add max number of tries for password change
- Add ability to block accounts HOT 1
- Mitigate timing attack in authentication
- Environment service returning 'true' if ENVVAR is set to false
- Expose additional Nodemailer configurations
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simple-auth.