Provide a WAI middleware

[divarvel]

While biscuit-servant provides biscuit support in servant, not everybody uses servant (shocking, I know).

This middleware is based on the same ideas:

• token extraction & parsing can be done for all endpoints in the same way
• actual authorization usually has per-endpoint logic / depends on data extracted during routing, so will usually happen outside middleware
• in some cases, authorization logic will be the same everywhere, so dedicated support should be provided to run the whole authorization process in a middleware.

Notes

Default configuration for both middlewares use the same error type, out of simplicity. it means that the default error type has an AuthorizationError branch even though it's not possible to reach it when only parsing is handled.

No post-processing of authorization results is possible, since the request extensions method is type-directed and requires a dedicated key shared by the middleware and its users. At that point, either writing a post-processing middleware or re-writing the middleware from scratch is simpler.

ToDo

• token extraction & parsing
  • default behaviour (bearer token, single public key, default error messages)
  • custom behaviour (token extraction, public key selection, custom error handling)
• complete authorization
• find better names
• documentation
• support for optional biscuit (eg don’t fail if nothing is extracted, but still return errors if something invalid is extracted)
• add initial changelog
• add @since annotations