Access to authentication

[thekid]

Currently web handlers have access to the authenticated user via the request value named user, which is returned by the authentication flow. However, the following use-cases are not possible without workarounds:

• Logging out the user
• Updating the user
• Aggregating other information alongside the user

To make this possible, a new value authentication could be passed to the request containing methods to access user and session.

[thekid]

This is a primitive logout implementation (abbreviated example inside App::routes()):

return [
  '/logout' => function($req, $res) use($sessions) {
    if ($session= $sessions->locate($req)) {
      $session->destroy();
      $session->transmit($res); // This is necessary with the current implementation but IMO shouldn't be
    }

    $res->answer(302);
    $res->header('Location', '/?logged-out');
  },
  // ...
}

As can be seen, it needs to know that the authentication uses a session-based approach.

[thekid]

First ideas

Logout:

'/logout' => function($req, $res) {
  if ($req->value('authentication')->logout($req, $res)) {
    $res->answer(302);
    $res->header('Location', '/?logged-out');
  }
},

Updating user value:

'/' => function($req, $res) {
  $user= $req->value('user');

  // Fetch user from database
  $current= $this->repo->user($user['id']);
  $req->value('authentication')->update('user', $current);
},

[thekid]

Another idea

Instead of a web.Request class, authentication could pass a class inherited from that, web.auth.Authenticated, thus simplifying the code as follows:

'/logout' => function(Authenticated $req, Response $res) {
  if ($req->logout($res)) {
    $res->answer(302);
    $res->header('Location', '/?logged-out');
  }
},
'/refresh' => function(Authenticated $req, Response $res) {
  $req->update('user', $this->repo->user($req->user()['id']));
},

However, decorating the Request class is quite cumbersome, there's quite a bit of methods to overwrite with delegating implementations.

[thekid]

Sessions accessor

• ExpressJS simply has request.session, see https://www.npmjs.com/package/express-session#reqsession
• KTor uses call.sessions, see https://ktor.io/docs/server-sessions.html#use_sessions

For us, this would be:

$session= $req->session(); // Returns a web.Session instance or NULL

$session->register('key', 'value');
$session->value('key');
$session->remove('key');

// Logout
$session->destroy();

[thekid]

...or we use:

$logout= function(Request $req, Response $res, Context $ctx) {
  $ctx->logout();

  $res->answer(302);
  $res->header('Location', '/?logged-out');
};

However, this is a bigger rewrite affecting quite a bit of the web API.