1 unstable release
0.1.0 | Oct 7, 2022 |
---|
#7 in #gotham
14KB
133 lines
This is a simple convenience middleware for extracting authentication information when a Gotham framework web service (https://gotham.rs) is sitting behind a separate service (e.g., reverse proxy like Apache) where the separate service performs authentication and populates authentication information into request headers.
lib.rs
:
This is a simple convenience middleware for extracting authentication information when a Gotham framework web service (https://gotham.rs) is sitting behind a separate service (e.g., reverse proxy like Apache) where the separate service performs authentication and populates authentication information into request headers.
In normal use, it reads the request headers and puts an AuthAssertion
into the
Gotham state data which can be accessed by request handlers or other middleware.
This middleware expects that client restrictions, authentication and firewalling is handled by the reverse proxy and network configuration. However, it includes convenience features for handling unusual or misconfiguration situations.
In order of processing:
- Optionally, if a development mode override is set the AuthAssertion supplied with that will be put into the Gotham request state data and no further checks or processing will take place. This to bypass the middleware transparently during software development.
- Optionally, if a white list of client IP addresses is supplied and the request did not come from one of those addresses, the request will fail.
- If the header for the user id is not present, the request will fail.
- If an optional name for a header containing a list of group memberships is given and the header is not present, the request will fail.
- Otherwise, the AuthAssertion is added to the Gotham request state data.
Additionally, if any header values read by this middleware contain non-UTF8 data, the request will fail.
Request failure behaviour is amounts to returning a Gotham HandlerError
chaining
a HeaderAuthMiddlewareError
. You may elect to catch some specific errors and
implement a 307 redirect in your application to direct your user to an authentication
page.
Tip: if testing/developing, you can use browser add-ons like https://mybrowseraddon.com/modify-header-value.html inject headers and simulate output from the authentication reverse proxy.
To use this middleware in your code, instantiate a HeaderAuthMiddleware
and
then attach it to your pipeline, e.g., with new_pipeline().add()
.
Dependencies
~11–22MB
~308K SLoC