Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple authorization methods #643

Open
radexpol opened this issue Feb 5, 2023 · 2 comments
Open

Multiple authorization methods #643

radexpol opened this issue Feb 5, 2023 · 2 comments

Comments

@radexpol
Copy link
Contributor

radexpol commented Feb 5, 2023

I would like to use both - session based and JWT authorization method.
When I detect the BASIC auth header - I want to use TMVCBasicAuthenticationMiddleware
ELSE
when I detect the BEARER auth header - I want to validate tokens

  FMVC.AddMiddleware(TMVCBasicAuthenticationMiddleware.Create(Self)); -> lets try login/pass

  FMVC.AddMiddleware(TMVCJWTAuthenticationMiddleware.Create(
      TTokenRequests.Create, nil, JWTEncryptionKey,
      '',
      [TJWTCheckableClaim.ExpirationTime, TJWTCheckableClaim.NotBefore, TJWTCheckableClaim.IssuedAt]); -> else, lets validate token

the flow of authorization is not quite clear for me. Even if I'm correctly logged-in using the basic auth, the JWT raises exception that JWT header not found. The code seems strange for me:

procedure TMVCBasicAuthenticationMiddleware.OnBeforeControllerAction(
  AContext: TWebContext;
  const AControllerQualifiedClassName, AActionName: string;
  var AHandled: Boolean);

begin
....

  if IsAuthorized then
    AHandled := False  -> is this correct? If we set AHandled = false the other authorization methods will be tried so JWT will fail 
  else
  begin
    if IsValid then
      Send403Forbidden
    else
    begin
      SendWWWAuthenticate;
    end;
  end;
end

When I changed it to AHandled := True, the login process is ok.

@radexpol
Copy link
Contributor Author

radexpol commented Feb 6, 2023

No, AHandler is not a solution, it prevents from handling endpoint methods, I thought it is related to authorization.

@fastbike
Copy link
Contributor

I've got a similar issue, I need to be able to store the jwt in a session as some clients use a different endpoint to initially access my app, and so will never send an authorization header. I will create a new issue ticket though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants