Get rid of unsafe function in AuthedContext
Opened this issue · 0 comments
chuwy commented
AuthedContext.getAuth
throws an exception when underlying AuthMiddleware
returns None
(or if middleware was not applied). Was initially raised here.
Here's how I first time stumbled upon this.
- I wanted to have a route
/entities
without authorization required (but instead behavior would be slightly different when user is not anonymous) - My authorization logic was:
request.headers.get("apikey").flatMap(db.getPermissionById)
, so wheneverapikey
was not present in DB or request -AuthMiddleware
returnedNone
- Whenever
AuthMiddleware
returnedNone
- I gotNoSuchElementException
ingetAuth
I guess my design goals in 1st and 2nd points were slightly invalid and I got fixed this by changing authorization logic to always return something, e.g. Anonymous
even when no apikey
is available and using url >>> Auth.auth()
, but it made my endpoint to officially require authorization.
- If design of
AuthMiddleware
is to never returnNone
- we need to removeAuthedContext.getAuth
entirely and use only>>> Auth.auth()
- If it is okay to return
None
for "anonymous users" - we need to make it returnOption[AuthInfo]
(this is what I did in #253) - Somehow make it impossible to call authentication method without
AuthMiddleware
being applied (I guess this is a long-term goal of this ticket)