Bridges for authorization

[Julio Fraire]

Hello!

I have built a simple authorization bridge. It simply tests that the user is already authenticated before delivering the requested route; if she is not logged in, then she is redirected to the login page.  For example:

sub build {
    my $self = shift;
    my $r = $self->routes;
    $r->add( '/' => {
        to       => sub { shift->authorize() },
        bridge => 1
    });
    $r->add( '/home'                    => 'home'              );
    $r->add( [ GET   => '/profile' ] => 'profile'             );
    $r->add( [ POST => '/profile' ] => 'update_profile' );
}

The authorization bridge is:

sub authorize {
    my $self = shift;
    if (!$self->user_logged_in) {
        $self->info('Unauthorized request');
        $self->status_error('Please identify yourself to fetch the desired resource');
        $self->res->redirect_to( '/login', {}, 303 );
        $self->res->rendered(1);
        return 0;
    }
    return 1;
}

It returns false when the user is not logged in to prevent the next route to be processed, and it sets rendered to true to avoid returning the standard 401 error (see psgi in Kelp.pm).

Is this the normal way of doing authorization with Kelp?

What do you think about setting rendered() to true after a redirect() and a redirect_to()? Within a bridge, the usage I exemplified above becomes slightly simpler. Within a route, it would avoid an unnecessary call to render() within the psgi() method of Kelp.

Thank you and best regards,

Julio

[Stefan Geneshky]

I think you're right. Setting rendered to true when redirecting makes good sense.

I've added a patch in the github repo. You can download it from there or wait for the CPAN release next week.

Stefan  

[Julio Fraire]

Thank you, Stefan.

Enjoy what's left of the weekend,

Julio