Radar and HTTP Basic Auth

[Chris Johnson]

I'm rewriting a legacy web app which uses HTTP Basic Auth.  I thought, "hey, maybe I could use Radar!"  

Then I started thinking about how authentication checks and database accesses are ideally contained within the Domain, and we don't want to pass knowledge of the protocol (HTTP) into the Domain.  Yet HTTP Basic Auth (along with the other HTTP auth methods) is very protocol oriented.

As with most software, I'm sure I can make Radar work.  But I feel like I'm going to be adulterating the ADR model in some fashion or another.

I was curious if anyone else had given this any thought, and what their conclusions or ideas were.

[Chris Johnson]

For example, there's this existing PSR-7 Middleware that can handle HTTP Basic Auth.  But is handling it in the middleware the right place?

https://github.com/oscarotero/psr7-middlewares#basicauthentication

[Chris Johnson]

I've found that Oscar Otero's BasicAuthentication Middleware does work, but it seems like both the right way and the wrong way to do this.  The "right way" is that middleware is rightly protocol-aware and Basic Auth is part of the HTTP protocol.  

But authentication in general, especially where it requires a database or LDAP or authentication service lookup, should properly reside in the Domain (Model) layer, not in the Middleware.  To quote Paul M. Jones:

You are going to be very tempted to place domain-related activity in your middleware, things like "checking to see if a user is authenticated" and so on. Resist this temptation. Middleware should only be about inspecting and modifying the request and response, not about handling domain elements. Middleware is not part of your core application; it is part of the HTTP user interface to that application.