justinas/alice

OR-Chained middlewares

kolaente opened this issue · 3 comments

kolaente commented

It would be cool if alice could support chaining middlewares with or instead of executing them one after one. Currently, alice executes middlewares one after the other. The thing I have in mind would be to execute the first one in the list, if that fails execute the second one etc.

A bit more context on the use case:
We would like to use this with the chain middleware in traefik which is powered by alice. We have one site which we want to secure using ip whitelist and basic auth either one should work. If a user accesses the site not on the ip whitelist, it should need to complete the basic auth.

I'm not sure this is the right place to ask, but I figured I'd just open an issue to get the discussion going. Maybe this is a too-specific use-case for alice and would be better suited in traefik itself.

justinas commented

Hi @kolaente,

I'm afraid this is beyond Alice's reach. Once alice calls IpWhitelistMiddleware, it does not have a say what happens next. IpWhitelistMiddleware decides whether to call the request handler or some other middleware next.

In your example BasicAuth middleware must itself be aware that is is the last auth option, so it can cancel the request instead of calling the next handler. Middleware has nothing to indicate whether it "succeeded" or "failed" to other handlers (or Alice), it just does its thing and calls the next handler (or not, that's its own choice).

So in short, your call sequence seems to differ from what traditional Go HTTP middleware can offer. Perhaps it would be better to combine the choices into one HTTP handler:

if ipIsWhitelisted(r) || basicAuthMatches(r) {
    next.ServeHTTP(w, r)
} else {
    w.WriteHeader(401)
}

The individual parts that check your auth (IP / Basic) do not even have to overtake the request flow, just analyze the request and report the result back. Of course, code that would literally look like this is not as composable.

Hope this helps you in some way.

P.S. Thanks for bringing Traefik's usage of Alice to my attention. That's cool! 💯

  • 👍1
kolaente commented

All right, thanks for the quick answer! I kind of assumed this would be out of Alice's reach.
I'll discuss this further within traefik.

kolaente commented

I've opened a new issue at traefik to discuss this a bit further: traefik/traefik#6007