Gauche icon indicating copy to clipboard operation
Gauche copied to clipboard

Published 20 hours ago verified publisher icon shirok

`rfc.http` authenticator hook

Open shirok opened this issue 6 months ago • 0 comments

Current rfc.http interface is enough if what the server asks is a simple pre-shared secret or token in authorization header. However, if the server asks some signing against request uri, headers and body, it gets messy. You first pass uri, headers, and body, to the signing procedure, which may compute a signature or wants to add some more header fields. Then you need to pass uri, (possibly modified) headers, and body, to http-get etc.

Frameworks of popular languages tend to let a pluggable authenticate look into a request record and mutate it if needed. From the user's point of view, it's nice that everything is under the hood. From the implementator's view, however, it stinks, since multiple players depend on the mutable state of the request record.

A functional API may be to pass an authenticator procedure to http-get etc., which is called with uri, headers, and body, and returns updated headers.

shirok avatar Feb 03 '24 01:02 shirok