node_acl icon indicating copy to clipboard operation
node_acl copied to clipboard

Published 20 hours ago verified publisher icon OptimalBits

Recommendations for working with JWTs and Sessionless APIs?

Open viztastic opened this issue 10 years ago • 6 comments

Hi there,

I notice that the user details is taken out of session store, is there a recommended way to handle this for the case where I intend to use a stateless authentication technology (such as JWT) ?

A solution that comes to mind is to simply have my JWT authentication middleware populate the session.id object before passing it on to ACL?

Thanks!

viztastic avatar Aug 07 '15 10:08 viztastic

I'm fighting this myself and debating what direction I want to take my project. I'm about 1/2 ACL and 1/2 middleware - but have to support JWT. I've tried working a passport.authenticate call into my main 'isAllowed' call, but with no luck ...

Did you figure anything out?

pdfowler avatar Oct 07 '15 00:10 pdfowler

Hi, I'm just beginning to use node_acl and facing the same requirement.

I guess the right way to go would be to implement a JWT backend to get the info from the token, to be used instead of one of the existing backends (redis, mongo, memory). The main difference would be that we won't be able to modify the user permissions without issuing a new token (as they would be immutably set and signed in the JWT payload by the authentication provider at creation time). It's not a big problem: it's just the same kind of issue that forces you to logout/login into a linux session when you change your user groups. And with some token renewal mechanism it can be fully transparent to the user.

I'll try to share anything I can come up with on that topic.

/Yoann

yoher avatar Feb 01 '16 11:02 yoher

Did any of you end up solving this? Did you do it with node_acl or another library?

ianstormtaylor avatar Mar 08 '16 03:03 ianstormtaylor

Hi there. Short answer: no. I ended up going back to Java/Springboot for that project, and I've had no time to play with nodejs since then... Good luck with it!

yoher avatar Mar 21 '16 17:03 yoher

I am using meanjs.org in some of my projects and have implemented JWT on top of it.

After passport authenticates using jwt, the user is set in req.user.

You can then use acl.middleware() to get the user info from req.user and check for your permissions.

vigneshnrfs avatar Apr 02 '16 10:04 vigneshnrfs

@vigneshnrfs That will not work very-well with stateless api's which is exactly JWT's good for. For instance express-jwt

Currently I re-wrote the middleware myself to read roles from JWT's, it treats sub as userId and role as a role claim from JWT.

darkyen avatar Jul 10 '16 00:07 darkyen