refactor auth mechanism into plugin structure #251
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
I am performing some integration of OpenKB into our internal authentication systems. As part of this work I needed to refactor some of the login procedures so that I could insert my own login code.
After seeing #72, #144, and #248, I decided to implement my integration in such a way that might be useful for you, and am submitting the change as a PR, with a brief description. This is partly selfish, as my design choice was made so that assuming a PR was accepted, implementation of each auth provider would have no impact on the rest of the codebase, therefore making future version upgrades simpler.
This change adds a
pluginsdirectory, with anauthsubdirectory. (Who knows what else could be made pluggable.) Inside this directory should be self contained modules, including their ownpackage.json/installednode_modules. I did this so the plugins themselves are not dependant on OpenKB's ownpackage.json, nor do they need to add their dependencies to it.I then moved a number of database-login related routes into a new
dbplugin in this directory, and added a setting in the config file,auth_providerto use this by default. The resulting behaviour in a default installation is the same as it was before, however, additional plugins can now be inserted into this directory and the corresponding setting changed to use a different one.Plugins themselves are not completely decoupled - they assume the role of express middleware. For auth provider plugins (currently the only type of plugin...), there are three functions that the module is expected to export:
route(router)- called just before the rest of theindex.jsroutes are set up, allowing the plugin to insert its own routes to handle things like posting back to whatever login page it provideslogin(req, res)- called by the/loginroute inindex.js. I guess this could have been provided by the plugin but I wanted to retain some consistency - (also because there was a lot of stuff referring to/loginthat didn't need refactoring for what I needed to do)logout(req, res)- called by the/logoutroute inindex.jsafter it's cleared all the session data. it should redirect or do whatever else is appropriateI used this to auto-login users based on some data that my authentication service provided, but I can see this also being useful to integrate LDAP, OAuth2, and even things like HTTP basic auth by the proxy webserver (e.g. Apache)
I welcome any thoughts / comments