Each auth strategy contain unique paths to protect

[collinglass]

Handling the use case that some areas of an app need to access a users external account, i.e. Twitter.

config.json would look something like this:

{
   "auth": {
        "bearer": {
            "enabled": false,
            "tokens": [],
            "protect": ["/"]
        },
        "twitter": {
            "enabled": false,
            "auth": null,
            "consumer_key": "",
            "consumer_secret": "",
            "protect": ["/feed"]
        }
      }
}

In tenso.js, lines 370, 398, 425, 453 would need to be updated as exampled:

config.auth.linkedin.protect.push( new RegExp( "^/auth/linkedin", "i" ) );

The mapping function at line 195 would need to be changed, something like:

for (var key in config.auth) {
        config.auth[key].protect = ( config.auth[key].protect || [] ).map( function ( i ) {
            return new RegExp( "^" + i !== "/login" ? i.replace( /\.\*/g, "*" ).replace( /\*/g, ".*" ) : "$", "i" );
        } );
}

Then on line 248 you could do something like:

var protect = [];
for (var key in config.auth) {
    protect.push.apply(config.auth[key].protect);
}
protection = zuul( protect );

[avoidwork]

Yeah, this is on the roadmap for 1.0.0. Stateless auth will not mix with stateful auth.

[collinglass]

Cool, how would one implement this? To my knowledge, the array of protected is defaulted to all auths

[avoidwork]

no, it's simply 'protected'. so either you have an auth header or a session, or you're not authorized.

[avoidwork]

so, in general... this can be a situation where multiple social auth strategies are active and you require data from 'the other one'. I would simply have the end point look for a session flag or data set you put there when the user passed through the auth handler, and if missing redirect them to the appropriate uri.