Questions about TokenAuth filter

[jozefrebjak]

Is TokenAuth filter usable only for Mobile applications where we need to login with username/email and password to get Access Token ?

Do we need to create another filter to take care about returning status code 401 ? Isn't this a standard way how to return bad api request to the user with correct status code ?

Is this a standard how to return wrong Token API call ?

        if (! $result->isOK() || (! empty($arguments) && $result->extraInfo()->tokenCant($arguments[0]))) {
            return redirect()->to('/login');
        }

Isn't this a better ?

        if (! $result->isOK() || (! empty($arguments) && $result->extraInfo()->tokenCant($arguments[0]))) {
                $response = service('response');
                $response->setStatusCode(401, 'unauthorized');
                $response->setJSON([
                    'status'  => false,
                    'message' => 'Invalid token.',
                ]);
        }

[kenjis]

Is TokenAuth filter usable only for Mobile applications where we need to login with username/email and password to get Access Token ?

See https://github.com/codeigniter4/shield/blob/develop/docs/authentication.md#access-token-authenticator

Do we need to create another filter to take care about returning status code 401 ?

Yes.

[jozefrebjak]

@kenjis but why is there redirect to login, if $result->isOK() returns false ?

We still need another route for mobile devices to login as described in PR #422, for me is still better to return code 401 with message Invalid token and leave client to decide what to do if access token is not working anymore for whatever reason.

[jozefrebjak]

This is returned if I don't provide valid token from my dev project.

HTTP/1.1 307 Temporary Redirect
Server: nginx/1.23.1
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.1.9
Set-Cookie: ci_session=caf95b7fa7820595317c3679c629c7b5cbf57ee0; expires=Mon, 12-Sep-2022 11:20:00 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-control: no-store, max-age=0, no-cache
Location: http://localhost:8080/login
Date: Mon, 12 Sep 2022 09:20:00 GMT

I'm not happy with that. Because client is just redirected to login, but there is not clear what happened and why we are redirected. How to handle this with client? If we return standard code 401 with message what happened then it's easier to implement logic what to do, and there can be next step in client to ask for new access token and use this token in next api call.

HTTP/1.1 401 unauthorized
Server: nginx/1.23.1
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: ci_session=c326d8d556c1bad72daf04e0bc7cd8bc77d4b880; expires=Mon, 12-Sep-2022 11:26:28 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax
Cache-control: no-store, max-age=0, no-cache
Date: Mon, 12 Sep 2022 09:26:29 GMT

{
    "status": false,
    "message": "Invalid token."
}

This is much better for me to handle it, rather than be redirected somewhere.

I can copy paste the whole TokenAuth filter and implement this, but is this what we really want? Please provide some standards where it's implemented with redirects, because I cant get it.

Thank you.

[jozefrebjak]

Another scenario is not to talk with mobile devices at all, but only with third party software which is consuming our API. Then we don't need to login at all. Just provide UI interface where user can create Access Token and use it.

[jozefrebjak]

Also this line need to be splitted from my point of view.

if (! $result->isOK() || (! empty($arguments) && $result->extraInfo()->tokenCant($arguments[0]))) {

First we need to check if Access Token is valid

if not return 401

and then check scopes and return a different code with message like: You don't have access to this scope etc.

[kenjis]

@jozefrebjak See #580

[kenjis]

@jozefrebjak You posted to Q&A.
If you have opinions, it is better to post to other category.

but why is there redirect to login, if $result->isOK() returns false ?

I don't know.