Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Checking an OAuth2 bearer token #64

Open
vipera opened this issue Feb 11, 2019 · 1 comment
Open

Checking an OAuth2 bearer token #64

vipera opened this issue Feb 11, 2019 · 1 comment

Comments

@vipera
Copy link

vipera commented Feb 11, 2019

Hey,

I'm looking into using Raisin for implementing a nice API into a legacy system, using OAuth2 bearer tokens. I couldn't find any Raisin-based solution that does something similar, aside from Rack middleware that I include and then manually check the environment at the top of every handler (ugly!).

I'd like to make a proof of concept where I intercept a HTTP request, call a custom handler to check that a bearer token exists and is valid, and then proceed if that is the case.

I'm trying to do this as a plugin. However, I've hit a few walls, most notably that I can register a plugin but I can't actually get any information about the route handler I'm calling it before and I can't register a hook to intercept calls.

Working from a high-level concept of how I'd like it to work inspired by Wine Bouncer:

plugin 'OAuth2';
oauth2_setup(
  validate_bearer_token => sub {
    my ($token, $scopes) = @_;
    # ...
  }
);

summary 'Get user';
oauth2 'users:read', 'admin';
params(
  required('userid', type => Int, desc => 'User ID'),
);
get sub {

};

I'd like to mark up this route with users:read and admin as a list of required token scopes (any one will do). I tried hacking this into the $SETTINGS used by the Swagger plugin, but looks like the ones that aren't known are not actually propagated or stored anywhere.

Next up, I'd like to hook into the request chain, and have my handler fire at before_validation, for instance. However, hooks don't have any context about the route or request, and neither can they stop processing. Bummer! I was thinking to do something like:

before_validation sub {
  my ($self, $route, $request, $response) = @_;
  if ($route->metadata_or_whatever->{oauth2}) {
    # more checks here ...
    return (403, 'Not permitted to access this resource');
  }
};

from the plugin code iself, and just call into the user bearer validator (seen above) to check the token.

Is the idea behind hooks/plugins to be able to accommodate something like this or am I looking at the wrong feature?

@khrt
Copy link
Owner

khrt commented Feb 12, 2019

Hey Marin,

Is the idea behind hooks/plugins to be able to accommodate something like this or am I looking at the wrong feature?

Plug-in (and hooks) isn't able to solve your problem. I actually see it as a plug-in which allows your to do oauth2 'users:read', 'admin';

and a middleware where you can do return 403, 'Forbidden';.

But there is indeed a problem that currently you're not able to put your own data to $SETTINGS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants