-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement auth0-forwarded-for header passing in Authentication Client #401
Conversation
Does it make sense to use this as an option per method? Maybe it's better to use as a global config instead? |
It would be neat to use as a global config, but I don't think it's possible. The IP value has to be taken from individual requests. |
Why would it change on every request? |
Because as I understand it, it's about forwarding individual client's IP to Auth0 backend in order to tie brute force attempts with particular IPs. |
@kjarmicki ahh! Of course 😝 |
@luisrudge Let's make sure we have a cross-platform strategy/design for the other SDKs before we progress too far on this. Auth0.Net already has an issue open about providing similar functionality auth0/auth0.net#274 Whether you need to change IP per request really depends on whether you imagine the lifecycle of the client object being per user request or if you want to pool/hold it around to use it across multiple user requests. I don't think there is anything in it today that forces it to be used one way or another. |
@damieng I agree, that's a good point. But, considering node-auth0 doesn't hold any state, there's no hard requirement to create one instance per request, right? @kjarmicki how do you use this in your app? do you create one Management instance per request or one per application? |
@luisrudge we're initializing the client object once at the start of the application and reusing it throughout the life of the app. I think having a global initialization option would force the module users to re-initialize the client for each request while having it as a method option enables both use cases @damieng mentioned. Personally, I think a global option way is a bit counterintuitive :) By definition |
@kjarmicki perfect. Thanks for your feedback. I'll discuss this internally and get back to you. |
@luisrudge howdy :) any news? If I can help in any way let me know. |
@kjarmicki we're having some internal discussions on how to tackle this across all of our SDKs. Sorry about the wait. I'll get back to you when I have more information. |
@kjarmicki did you test this with all the methods? I just contacted our protocols team and only two grant types do this: |
@luisrudge I did not, I assumed that all HTTP-based login methods support this header and checked the one we use ( |
Thanks for the PR! 🎉 |
Yay! Thank you for support and merge :) |
Thursday! |
Perfect 👌 |
released in [email protected] |
This is not in types :( ! |
Changes
This PR implements auth0-forwarded-for header passing in the Authentication Client.
User-facing methods now accept an additional argument
options
, right before callback, for example:This change is non-breaking. If there is no options object, the callback as a second argument will still work.
References
#191
Testing
I have also npm linked the module to my existing project and it seemed to do it's job.
Checklist