-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication middleware should NOT interfere with Authorization #234
Comments
Yeah naming things is hard. I do not remember anymore why the class was named Allowing access with missing or invalid credentials is also what most users will not expect even though the term "Authentication" is technically wrong. As a sidenote even HTTP Basic Authentication RFC7617 suggest replying with 401 when credentials are missing. This is not a requirement though.
I will add the word "Authorization" to description to avoid confusion. |
I got here because I was also confused. I was expecting access to the request token regardless of auth success. For example if you have a route that returns default data without a valid token, but return extra data if that token exists (using the identical routing). Would it be possible to configure in this way? Thanks. |
Hi,
Slim-jwt-auth is "Authentication middleware":
This middleware implements JSON Web Token Authentication.
Authentication should:
Authentication SHOULD NOT:
Because it's part of the process which should be handled by AUTHORIZATION middleware.
slim-jwt-auth is authentication middleware , there are several good reasons, why you should not interchange / mix these two terms.
Please do not provide any "authorization" / denial service inside Authentication middleware, it is wrong place to do that and you usually want to sort your middlewares in this way:
...
Authentication / Authentication should be split to 2 middlewares and named correctly.
Preventing routes in "authentication" middleware is wrong.
The text was updated successfully, but these errors were encountered: