-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why is identity forced to be string? #397
Comments
I could be mistaken, as the details are not fresh in my mind, but that sounds like it makes it impossible to mix and match identity policies. If you are passing some custom Expected behaviour, would be that you pass the user's ID (it is called an identity for a reason), which can then be remembered safely by any Then in the other functions where you receive the identity, you would do something like |
While a trivial point, I note even your suggestion of As for mix&matching...why would I want to mix and match a home-grown, specific-to-my-application identity? Especially considering JWT which allows you to store arbitrary claims (i.e., by design JWT is meant to store far more than just an id). Can I note there's a protoype of a JWT IdentityPolicy in the source (undocumented -- considered not ready for primetime?) which doesn't implement My implementation ties together an IdentityPolicy, AuthorizationPolicy, and middleware (processing requests with the Meanwhile, here's what I'll have to do to wrap the stock import aiohttp_security as aiosec
async def remember(request, response, *, user, **claims):
await aiosec.remember(request, response, '__unused__', user=user, **claims) And then code my impl accordingly: async def remember(self, req, resp, identity, *, user, **claims):
... |
I often use the username as the ID (which is what is shown in most of the examples). If it's an int, you can still convert it easily with
If you don't want compatibility with the defined API in order to have mix-and-match things, then I'm not sure what this library is actually offering you. You might as well just call It'll also make static typing a lot easier for you. I'm looking at adding annotations soon, and if we went with your approach, then all the functions would need to be annotated with
Seems to be deliberate: #147 (comment) I think there is some mistunderstanding/disagreement about how the library is meant to work. I don't have enough in-depth knowledge right now to provide more useful feedback though. |
All I'm saying is forcing |
The API accepts an identity, you want to send it a User which is identity plus password plus whatever may be appropriate for your use case. The problem is that the library cannot know what the operations on your User object are. There could be some variation to equality, for example, and your calling code should know have to know whether the current or future versions of aiohttp-security may ever want to use equality (for example somebody might want to add some caching operations and uses the identity as a key, then you try caching and everything works, but it will fail in production because the wrong fields are compared). It's the wrong mental model for "identity". |
The module-level function,
remember()
asserts that the identity is a string:Shouldn't that be the burden of the underlying implementation of an IdentityPolicy?
My use-case: I'm building a custom IdentityPolicy and associated AuthorizationPolicy that sends a JWT token back to the client with a custom header. In my user-session code I want to be able to do, e.g.:
The implementation of my policies expects a User instance in all places an identity is passed around. When creating the JWT the state of the user instance dictates the claims made. I want this logic in the IdentityPolicy not in the caller.
It seems to me that at the API level identities should be opaque and leave serialization/validation up to the underlying policy implementations.
The text was updated successfully, but these errors were encountered: