Using token and session auth should not run both about auth HOT 9 CLOSED

Great, I merged and tagged as 2.0.4 :)

from auth.

Out of curiosity - what's the use case for having a route that is protected by both a token or a cookie? Since normally a cookie (browser) request returns a View and a token request returns JSON.

The middleware is behaving as expected unfortunately - there's no way to 'skip' a middleware in the chain. If you want to do that you'll need to write a custom middleware that checks for an authenticated user before trying to do a look up again. Or wraps the two middlewares and works out which one to use.

from auth.

I'm not super familiar with front end stuff so if this isn't the way to do it please let me know. But I have a Vapor API (all JSON routes) that supports an iOS app and two React frontends. I want to use cookie based for the frontends as that is more secure (using an http only cookie). For the iOS app, token based is more preferred. I would have thought this is a common use case, but I guess not!

from auth.

Ah ok, I see what you mean. So (I think) the usual way of doing it is to provide a token to the front end that it uses to make requests. Note that if you use HTTP only cookies, you won't be able to use them with your React front-end (since that's JS obviously and it won't have access to the cookies)

from auth.

I was doing it that way, but there is not secure way to store a token in web storage (that I could find). Any JS can read the local storage and have the token.
I do actually have it working with React and an http cookie, (using axios at least) it is included automatically using the withCredentials option.

from auth.

This seems like it could be an oversight in the session auth middleware. The rest of the middleware have a guard statement at the beginning that check to see if authentication has already been performed:

https://github.com/vapor/auth/blob/2/Sources/Authentication/Basic/BasicAuthenticationMiddleware.swift#L16-L20

But this is lacking in the session auth middleware:

https://github.com/vapor/auth/blob/2/Sources/Authentication/Persist/AuthenticationSessionsMiddleware.swift#L7

from auth.

Let me know if this seems like it will do the trick: #69

from auth.

@tanner0101 that fixes it! Thank you 👏

from auth.

I think it's worth adding something about this use case to the docs as an example. A lot of people are building APIs to accommodate both mobile and web based apps using libraries/frameworks like React, Vue, Angular, etc. It's convenient (and more secure) to leverage cookies for authentication when we're building web apps.

It's easy to pass a flag to fetch or an XHR to tell the browser to include credentials (ie. cookies) with any api requests.

from auth.