基于Cro的perl6中的基本认证

Question

我正在寻找一个简单的解决方案，以保护我的路由与基本身份验证机制与Cro。在我的示例中，如果您根本不提供任何凭据，我希望看到一个401 Unauthorized。如果您提供了错误的凭据，我希望看到一个403 Forbidden

在我的代码示例中，我从未见过调用MyBasicAuth中间件：

class MyUser does Cro::HTTP::Auth {
    has $.username;
}

subset LoggedInUser of MyUser where { .username.defined }

class MyBasicAuth does Cro::HTTP::Auth::Basic[MyUser, "username"] {
    method authenticate(Str $user, Str $pass --> Bool) {
        # No, don't actually do this!
        say "authentication called";
        my $success = $user eq 'admin' && $pass eq 'secret';
        forbidden without $success;
        return $success
    }
}

sub routes() is export {
    my %storage;
    route {
        before MyBasicAuth.new;
        post -> LoggedInUser $user, 'api' {
            request-body -> %json-object {
                my $uuid = UUID.new(:version(4));
                %storage{$uuid} = %json-object;
                created "api/$uuid", 'application/json', %json-object;
            }
        }
    }
}

Answer 1

这一结构：

route {
    before MyBasicAuth.new;
    post -> LoggedInUser $user, 'api' {
        ...
    }
}

取决于即将发布的CRO0.8.0中的新before/after语义。在当前的Cro版本中，在询问/编写时(以及之前的版本)中，before在route块中只适用于已经匹配的路由。然而，对于中间件来说，这太晚了，因为中间件的目的是影响匹配的内容。在Cro 0.8.0之前这样做的方法是在服务器级别挂载中间件，或者执行如下操作：

route {
    before MyBasicAuth.new;
    delegate <*> => route {
        post -> LoggedInUser $user, 'api' {
            ...
        }
    }
}

它确保在考虑任何路由匹配之前应用中间件。这并不是很漂亮，因此即将到来的0.8.0中的变化(这也将引入一个具有原始before语义的before)。

最后，forbidden without $success;不会在这里工作。forbidden子程序是Cro::HTTP::Router的一部分，用于路由处理程序，而中间件不绑定到路由器(因此您可以决定以不同的方式路由请求，例如，不会失去使用所有中间件的能力)。authenticate方法的约定是，它返回一个确定应该发生什么的真实值；它不是尝试并强制执行不同响应代码的适当位置。

如果不匹配像LoggedInUser这样的auth约束，就会产生401。要重写它，在最外层的after块中添加一个route来映射它：

route {
    before MyBasicAuth.new;
    after { forbidden if response.status == 401; }
    delegate <*> => route {
        post -> LoggedInUser $user, 'api' {
            ...
        }
    }
}

Answer 2

目前，cro发布版本中似乎存在一个bug，该版本已经在github的上游修复。在#perl6irc通道的sena_kun帮助下，我们确实使用了当前版本的cro-http

$ git clone https://github.com/croservices/cro-http.git
$ perl6 -Icro-http/lib example.p6

然后在curl上，我终于看到了所谓的“身份验证”。我们又发现了两个小虫子：

first one:当我调用curl -v -d '{"string":"hi"}' http://admin:secret@localhost:10000/api时，忘记添加-H 'Content-Type: application/json'

authentication called An operation first awaited:   in sub request-body at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Router.pm6 (Cro::HTTP::Router) line 716   in block  at restapp/example.pl line 24 in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Router.pm6 (Cro::HTTP::Router) line 130

Died with the exception:
    Cannot unbox a type object (Nil) to int.
      in sub decode-payload-to-pairs at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/BodyParsers.pm6 (Cro::HTTP::BodyParsers) line 62
      in method parse at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/BodyParsers.pm6 (Cro::HTTP::BodyParsers) line 50
      in method body at /home/martin/.rakudobrew/moar-2018.08/install/share/perl6/site/sources/557D6C932894CB1ADE0F83C0596851F9212C2A67 (Cro::MessageWithBody) line 77
      in sub request-body at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Router.pm6 (Cro::HTTP::Router) line 716
      in block  at restapp/example.pl line 24
      in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Router.pm6 (Cro::HTTP::Router) line 130

第二个 one是因为在这个部分中调用了forbidden：

class MyBasicAuth does Cro::HTTP::Auth::Basic[MyUser, "username"] {
    method authenticate(Str $user, Str $pass --> Bool) {
        say "authentication called";
        my $success = $user eq 'admin' && $pass eq 'secret';
        forbidden unless $success;
        return $success;
    } }

这导致了这样的堆栈跟踪：

authentication called
Can only use 'content' inside of a request handler
  in sub set-status at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Router.pm6 (Cro::HTTP::Router) line 846
  in sub forbidden at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Router.pm6 (Cro::HTTP::Router) line 823
  in method authenticate at restapp/example.pl line 15
  in method process-auth at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Auth/Basic.pm6 (Cro::HTTP::Auth::Basic) line 26
  in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Auth/Basic.pm6 (Cro::HTTP::Auth::Basic) line 11
  in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Auth/Basic.pm6 (Cro::HTTP::Auth::Basic) line 8
  in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/Internal.pm6 (Cro::HTTP::Internal) line 22
  in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/RequestParser.pm6 (Cro::HTTP::RequestParser) line 109
  in block  at /home/martin/.workspace/voteimproved/cro-http/lib/Cro/HTTP/RequestParser.pm6 (Cro::HTTP::RequestParser) line 90
  in block  at /home/martin/.rakudobrew/moar-2018.08/install/share/perl6/site/sources/F048BB66854D2463798A39CC2B01D4CC1532F957 (Cro::TCP) line 53

我想这个虫子很快就会修好的！