What is the best approach to implement http authentication (validation) using actix web?
Using the provided examples for a simple-auth-server I can authenticate a request and create a cookie accordingly.
Now I want to validate the cookie/identity in order to prevent access from certain routes. A Guard doesn't cut it because I can only retrieve the stored identity using Identity::from_request(HttpRequest, Payload) and in RequestHead (guard implementation), there is neither the full request nor its payload.
I can not use Middleware either because I will only get access to ServiceRequest but not HttpRequest.
I'm using the openid protocol with an external authentication provider (keycloak) and just copied the example from the openid crate that uses actix-web.
Thanks for your input.
They are actually just using the FromRequest trait on the User struct to do authorization.
That's an idea I guess.
This helps, but I'm still curious if this is the best approach.
For now I can do it like this though.
I'm still looking for a good solution to this problem.
Maybe somebody can have a look into this.
I'm using CookieIdentityPolicy to achieve cookie-based session management. I built some sort of authentication on top of it and I now want to implement a Guard to do some path based checks. For that, I would like to retrieve the Identity. So far I came up with this in order to retrieve the authentication cookie value, but since the CookieIdentityPolicy handles the decryption of the value, I didn't get any further. Can anybody hint me in the right direction or share some best practice?
This looks very promising but when I do this and click the back button on localhost after a call to 'forget' in the logout handler the user still seems to be authenticated in requests to the API made from the cached page.
Thank you - I did that and the cookie vanished in dev tools and then was resurrected after pressing the back button. I don't fully know what is happening but I think it may have something to do with browsers differentiating localhost and 127.0.0.1 for some purposes and identifying them for others relating to cookie management. In any event I will leave off pursuing it on this thread as I am satisfied that it doesn't really relate to the original question or your very helpful answer.