Authentication Middleware (draft)
1 view
Skip to first unread message
Davide Marquês
Sep 10, 2009, 1:38:08 PM9/10/09
to ew...@googlegroups.com
Hi again,
I'm working on a authentication middleware and would like discuss its design to check if it fits with the ewgi-way. :)
Here's the middleware graph:
ewgi_dispatcher -("/auth_area")-> ewgi_post -(on 'get')-> DisplayFormApp
-(on 'pos')-> ewgi_login -(on fail) -> DisplayFormApp
-(on success)-> AuthResourceApp
What you think, is this how it should be done?
Some issues raised by the prototype:
- no way to return an "internal redirect to another url" instead of calling the DisplayFormApp directly
- ewgi_dispatcher:redirect_to(Url) comes to mind (it would like calling out to ewgi_session's
functions: safe if we were inside that "onion skin")
- no standard way to pass error/flash messages to the next app
- actually ewgi_api:response_error/2 is good enough for error messages
- abusing ewgi_api:response_body/2 for flash messages? Why not? Between requests the flash message *is the response*. :)
- it comes down to the problem of how two disconnected middleware components should share data... :/
If DisplayFormApp is served by beepbeep then it (beepbeep) must check if a previous middleware left 'messages' for it and
then inject those in the appropriate place so that they'll reach the template.
Actually... after some though I realized that here we can also use a getter: ewgi_auth:auth_error()
If we're building a login page it's not unreasonable to depend on a ewgi_auth interface for supplying us with auth error messages.
- ewgi_post is using ewgi_api:remote_user_data/2 to store the parsed data which doesn't seem right
since according to the spec:
remote_user_data: (Element 15) Any additional data provided by the authentication mechanism
and a post doesn't necessarily involve the authentication mechanism.
- caching to a ?EWGI_POST_DATA variable and offering a ewgi_post:get_value/2 should do the trick
- ah! ewgi_mochiweb is also setting that!
Well that's all I got. Feel free to comment. :)
Cheers,
Davide
I'm working on a authentication middleware and would like discuss its design to check if it fits with the ewgi-way. :)
Here's the middleware graph:
ewgi_dispatcher -("/auth_area")-> ewgi_post -(on 'get')-> DisplayFormApp
-(on 'pos')-> ewgi_login -(on fail) -> DisplayFormApp
-(on success)-> AuthResourceApp
What you think, is this how it should be done?
Some issues raised by the prototype:
- no way to return an "internal redirect to another url" instead of calling the DisplayFormApp directly
- ewgi_dispatcher:redirect_to(Url) comes to mind (it would like calling out to ewgi_session's
functions: safe if we were inside that "onion skin")
- no standard way to pass error/flash messages to the next app
- actually ewgi_api:response_error/2 is good enough for error messages
- abusing ewgi_api:response_body/2 for flash messages? Why not? Between requests the flash message *is the response*. :)
- it comes down to the problem of how two disconnected middleware components should share data... :/
If DisplayFormApp is served by beepbeep then it (beepbeep) must check if a previous middleware left 'messages' for it and
then inject those in the appropriate place so that they'll reach the template.
Actually... after some though I realized that here we can also use a getter: ewgi_auth:auth_error()
If we're building a login page it's not unreasonable to depend on a ewgi_auth interface for supplying us with auth error messages.
- ewgi_post is using ewgi_api:remote_user_data/2 to store the parsed data which doesn't seem right
since according to the spec:
remote_user_data: (Element 15) Any additional data provided by the authentication mechanism
and a post doesn't necessarily involve the authentication mechanism.
- caching to a ?EWGI_POST_DATA variable and offering a ewgi_post:get_value/2 should do the trick
- ah! ewgi_mochiweb is also setting that!
Well that's all I got. Feel free to comment. :)
Cheers,
Davide
Filippo Pacini
Sep 11, 2009, 6:15:07 AM9/11/09
to ew...@googlegroups.com
Hi Davide,
thanks for your work and comments.
thanks for your work and comments.
I skip the first part. I'll try to answer in the weekend.
Davide Marquês wrote:
>
> - ewgi_post is using ewgi_api:remote_user_data/2 to store the parsed
> data which doesn't seem right
> since according to the spec:
> remote_user_data: (Element 15) Any additional data provided by the
> authentication mechanism
Yes this is wrong. My fault.
I thought remote_user_data was the place to store the body of the
request, but I was wrong as it's said in the spec.
I'll try to fix this as soon as possible.
I think we should add an api to easily read the unparsed body of the
request.
We could add a ewgi_api:read_body that uses read_input in the
ewgi_context to get all the body in one step.
cheers,
filippo
Reply all
Reply to author
Forward
0 new messages