Authentication middleware should NOT interfere with Authorization #234
Comments
|
The problem is this Behavior - it is wrong.
in case the token is not there or invalid, you should do nothing... The part of work of the Authentication middleware is only to parse and validate user identity, not to return 401 when not found. |
|
Yeah naming things is hard. I do not remember anymore why the class was named Allowing access with missing or invalid credentials is also what most users will not expect even though the term "Authentication" is technically wrong. As a sidenote even HTTP Basic Authentication RFC7617 suggest replying with 401 when credentials are missing. This is not a requirement though. I will add the word "Authorization" to description to avoid confusion. |
|
I got here because I was also confused. I was expecting access to the request token regardless of auth success. For example if you have a route that returns default data without a valid token, but return extra data if that token exists (using the identical routing). Would it be possible to configure in this way? Thanks. |
Hi,
Slim-jwt-auth is "Authentication middleware":
This middleware implements JSON Web Token Authentication.
Authentication should:
Authentication SHOULD NOT:
Because it's part of the process which should be handled by AUTHORIZATION middleware.
slim-jwt-auth is authentication middleware , there are several good reasons, why you should not interchange / mix these two terms.
Please do not provide any "authorization" / denial service inside Authentication middleware, it is wrong place to do that and you usually want to sort your middlewares in this way:
...
Authentication / Authentication should be split to 2 middlewares and named correctly.
Preventing routes in "authentication" middleware is wrong.
The text was updated successfully, but these errors were encountered: