New Feature - Authentication Middleware Injection #123
Conversation
leoraba
force-pushed
the
feat/auth-ego-token
branch
from
f7d38d9 to
e72b37b
Compare
apps/server/src/middleware/auth.ts
Outdated
| } | ||
| } | ||
|
|
||
| export const authMiddleware = (req: Request, res: Response, next: NextFunction) => { |
There was a problem hiding this comment.
Server in Lyric monorepo doesn't implement any authentication, although it provides a basic middleware to demonstrate how to set user property
There was a problem hiding this comment.
Retrieving user details from request if provided.
leoraba
changed the title
leoraba
changed the title
There was a problem hiding this comment.
Updating Docs. Adding section to implement auth middleware and database migrations
There was a problem hiding this comment.
those examples are really helpful! wonder if it would be more useful for integrators to have those as actual files instead (like a ready to copy and customize scaffolding)
thoughts?
There was a problem hiding this comment.
I think providing our database migration script allows integrators to ensure Lyric will keep track of codebase and database schema in sync. For example, integrators over time can jump to latest version of Lyric, and they will be sure the database schema will be updated as well. In essence, how Lyric stores data shouldn't be a headache for implementers.
| @@ -48,6 +49,7 @@ export type AppConfig = { | |||
| limits: LimitsConfig; | |||
| logger: LoggerConfig; | |||
| schemaService: SchemaServiceConfig; | |||
| authMiddleware?: (req: Request, res: Response, next: NextFunction) => void; | |||
There was a problem hiding this comment.
Applications that implements Lyric provider will pass a custom middleware for authentication
leoraba
changed the title
| // TODO: auth here | ||
| console.log(`auth`); | ||
| next(); | ||
| export const authMiddleware = (authConfig: AuthConfig) => { |
There was a problem hiding this comment.
Middleware used when auth is enabled.
It uses the customAuthHanlder to performs the auth.
It returns to next() handler if user is valid authenticated or return a 401 or 403 error.
| * @param req - Express request object | ||
| * @returns User session result | ||
| */ | ||
| export const authHandler = (_req: Request) => { |
There was a problem hiding this comment.
This is the implementation of an auth handler used to provider Guest access.
There was a problem hiding this comment.
I don't know the whole project context, so I'm wondering why the readme example for authHandler contains actual auth logic, but the actual authHandler implementation just returns a hardcoded value
There was a problem hiding this comment.
I think the answer is related to this? #123 (comment)
There was a problem hiding this comment.
The handler implemented in this apps/server package is a basic implementation for demonstration, however, the details how to customize it is described in readme file
README.md
Outdated
| @@ -88,6 +88,7 @@ The Environment Variables used for this application are listed in the table bell | |||
| | `PLURALIZE_SCHEMAS_ENABLED` | This feature automatically convert schema names to their plural forms when handling compound documents. Pluralization assumes the words are in English | true | | |||
| | `PORT` | Server Port. | 3030 | | |||
| | `UPLOAD_LIMIT` | Limit upload file size in string or number. <br>Supported units and abbreviations are as follows and are case-insensitive: <br> - b for bytes<br> - kb for kilobytes<br>- mb for megabytes<br>- gb for gigabytes<br>- tb for terabytes<br>- pb for petabytes<br>Any other text is considered as byte | '10mb' | | |||
| | `ALLOWED_ORIGINS` | Specifies a list of permitted origins for Cross-Origin Resource Sharing (CORS). These origins, separated by commas, are allowed to make requests to the server, ensuring only trusted domains can access resources. | | | |||
There was a problem hiding this comment.
Example value could be helpful here
packages/data-provider/README.md
Outdated
| }, | ||
| }; | ||
|
|
||
|
|
||
| const lyricProvider = provider(appConfig); | ||
| ``` | ||
|
|
||
| Use any of the resources available on provider on a Express server: | ||
| ### Auth Custom Hanlder |
packages/data-provider/README.md
Outdated
|
|
||
| ``` | ||
|
|
||
| ``` |
|
A couple recommended tidying tasks but all in all this looks like a very clean implementation. I'll leave some time for team members closer to the project to take a look, but it looks good to me! |
| if (!origin) { | ||
| // allow requests with no origin | ||
| // (like mobile apps or curl requests) | ||
| return callback(null, true); |
There was a problem hiding this comment.
do we want to add a feature flag (env var config) to enable this, and have it disabled by default?
doesn't feel right to just have it "open" like this
There was a problem hiding this comment.
Thanks for noticing this. In regards to security this should be disabled by default.
And could be converted into a variable named CORS_ENABLED where when true only registered domains can access the server, otherwise rejected (default)
Enhancements and Features
Authentication Middleware Injection: Added a new property in the provider package to support a custom auth implementation in the middleware. Applications using the Lyric provider can now pass a function
customAuthHandlerto enforce their authentication logic.User Property Utilization: Updated Lyric to use the
userproperty from the incoming Request object to obtain username.Exported
UserSessionType: Introduced and exported theUserSessiontype to define user related properties. Lyric will use theuserproperty from the incoming Request object to obtain the user name.Documentation Updates: Updated the documentation to include guidelines on implementing and integrating a custom authentication middleware.