Authentication middleware should NOT interfere with Authorization

Question

Authentication middleware should NOT interfere with Authorization

montella1507 opened this issue 2 years ago · 3 comments

montella1507 commented 2 years ago

Hi,

Slim-jwt-auth is "Authentication middleware":
This middleware implements JSON Web Token Authentication.

Authentication should:

parse and validate token if found
add identity of the user to Request (if the token is valid and found)

Authentication SHOULD NOT:

prevent any action
return 401
disallow going to any route

Because it's part of the process which should be handled by AUTHORIZATION middleware.

slim-jwt-auth is authentication middleware , there are several good reasons, why you should not interchange / mix these two terms.

Please do not provide any "authorization" / denial service inside Authentication middleware, it is wrong place to do that and you usually want to sort your middlewares in this way:

...

Authentication (parse and validate identity)
Routing
Authorization

Authentication / Authentication should be split to 2 middlewares and named correctly.

Preventing routes in "authentication" middleware is wrong.

Answer 1 · 2022-10-17T08:55:23.000Z

The problem is this Behavior - it is wrong.

in case the token is not there or invalid, you should do nothing... The part of work of the Authentication middleware is only to parse and validate user identity, not to return 401 when not found.

Answer 2 · 2022-10-22T11:39:40.000Z

Yeah naming things is hard. I do not remember anymore why the class was named JwtAuthentication. In any case changing behavior so that middleware would allow access even when token is missing or invalid is a BC break so such change will not happen.

Allowing access with missing or invalid credentials is also what most users will not expect even though the term "Authentication" is technically wrong.

As a sidenote even HTTP Basic Authentication RFC7617 suggest replying with 401 when credentials are missing. This is not a requirement though.

Upon receipt of a request for a URI within the protection space that
lacks credentials, the server can reply with a challenge using the
401 (Unauthorized) status code

I will add the word "Authorization" to description to avoid confusion.

Answer 3 · 2023-08-24T00:31:15.000Z

I got here because I was also confused. I was expecting access to the request token regardless of auth success. For example if you have a route that returns default data without a valid token, but return extra data if that token exists (using the identical routing). Would it be possible to configure in this way? Thanks.