Replies: 3 comments 3 replies
-
This proposal touches some discussions we’ve had regarding similar issues with the new auth system Atm, when writing a custom auth handler, you need to lock your instance with two API keys (for http and ws) and a secret for JWT. While this setup may be somewhat opinionated, it’s a necessary part of the current system. This could be clarified better in the documentation Regarding the execution order of the auth handlers, I understand why you'd want more flexibility. However, in my view, the order is usually less relevant because you are unlikely to use the same keys or tokens for different auth handlers. When a custom handler is implemented, the core handler typically fails since it lacks the necessary credentials, allowing the custom one to take over More interesting, imho, is the possibility of overriding the entire list of allowed auth handlers. This would allow users to specify only custom handlers. Be aware that this would also exclude the admin panel, which relies on the default core auth handler for authentication. But you only have to worry about your own auth and don't have to manage the internal keys |
Beta Was this translation helpful? Give feedback.
-
@Chida82 let me clarify The list
So to recap, there are 2 handlers: core, always present and a custom one you can choose form a list. The
Having the
There have been lots of discussions about this, and the most debated point was to have a custom auth without sacrificing the admin and a basic auth configuration. So now there is a core auth and a custom auth, side by side. I wanted to have a simpler hook just to list and run all auth handlers, Django style, but community decided it was "dangerous". Let me know if everything is clear and thanks @lucagobbi for helping the clarification P.S.: As Luca says, core auth must be secured with env variables in any case, because it will run in parallel with your custom auth |
Beta Was this translation helpful? Give feedback.
-
@Chida82 attention in TLDR: change your auth handlers so they are sync |
Beta Was this translation helpful? Give feedback.
-
At present, the Auth handler always runs the core/standard version first and the custom version afterwards.
This is the case for the auth_handlers list, which is fixed.
I propose to make the order dynamic.
At the moment, it is possible to use hook factory_allowed_auth_handlers which allows hanging to another list. Now we could not only hang but put before or reorder this list.
My proposal is to apply before or after Core Auth depending on whether the list_auth_handler_default contains the CoreOnlyAuthConfig element first or not.
In some cases it may be more efficient to run the custom version first.
What do you think, can I develop it, would you accept this implementation? I understand I am not the only one who did not expect different behaviour for the 2 lists
ps: it would also be a step to consider disabling the custom version in the future, but that is not the point of the discussion at the moment!
Beta Was this translation helpful? Give feedback.
All reactions