Incoherent behaviour of publicEndpoints option in authenticationMiddleware

[bzums]

authmosphere/src/express-tooling.ts

Line 183 in e47c422

if (publicEndpoints && publicEndpoints.some(pattern => originalUrl.startsWith(pattern))) {

When a public endpoint test is added, than all endpoints starting with test (e.g. test-another) will also be public which is not expected.

We should discuss how to handle subressources like test/another=> should they also be public by default or not?

[Retro64]

It makes no sense to inherit the secure level of sub resources - at least if the resource itself is public (e.g. if the sub resource containing confidential data). Therefore a predicate like equals makes more sense. On the other hand, equals is not feasible, as /res/${id}/subres/${subid} cannot be matched via equal directly.

[ValentinFunk]

It would be possible to use req.route to get the route of the request. So you could do publicEndpoints = [ '/res/${id}/subres/${subid}].

The only issue is that if you mount express sub apps you would probably need to create middleware instances for each so that the route is given correctly.

[bzums]

Indeed I think inheriting is not a good idea. To really solve the issue I guess we need to support passing a regexp to `publicEndpoints?!

[ValentinFunk]

Maybe just a callback where users can define their own logic? So everyone can use whatever they prefer. I feel that honestly users should just apply middleware only where needed, so that you wouldn't need to use this at all. If this is not possible they could then do it in whatever way they like (regex, route parsing, perhaps even header based if there is a possiblity of an auth proxy in front).