Query: support for anonymous users via Soul-Auth

[IanMayo]

This is a query regarding the implementation of Authentication and Authorisation within soul-cli.

I have a requirement to support anonymous access to my application. At a basic level, I picture a soul API request being sent without a JWT token, and soul allowing GET on any resource.

I imagine we could introduce a set of role_permissions for a special role which only allow READ content to tables. Somehow, soul would translate anonymous calls as being calls using that role - and provide access according to the specified role_permissions.

I guess this would be implemented in src/middlewares/auth.js, as changed processing in hasAccess for if the request.cookies.accessToken is missing.

I also-guess that for this special processing we'd introduce a runtime -anonRole config parameter that specifies the role id to be used for unauthenticated (anonymous) users.

Feedback is welcomed on this :-D

[thevahidal]

Hey @IanMayo,

I think I understand exactly what you’re looking for. The idea would be:

• If a request comes in without a JWT token, Soul would automatically treat it as coming from a configurable “anonymous” role (config.anonRole).
• Permissions for that role (from role_permissions) would determine what actions are allowed — typically read-only (GET) access to tables.
• Requests with a valid JWT would continue working as usual.
• If a table method is allowed by the anonymous role, it would bypass the usual role permissions of authenticated users, meaning the anon role acts as a direct override for public access.

Pseudocode for hasAccess might look like:

function hasAccess(req, table, action) {
  const token = req.cookies.accessToken;
  let roleId;

  if (token) {
    const user = decodeAndFetchUser(token);
    roleId = user.role_id;
  } else if (config.anonRole) {
    roleId = config.anonRole;  // fallback to anonymous role
  } else {
    return false; // no token and no anonRole
  }

  return checkRolePermissions(roleId, table, action);
}

This way, anonymous requests can safely access allowed resources without a token, while keeping the existing auth system intact.

Does this approach match what you had in mind?

[IanMayo]

Yes, that matches what I had in mind - and would securely provide a set of access permissions for anonymous users.

Hmm, would it also be a valid way of handling a rejected access token? I'm don't know much about auth/auth or access tokens, but could a user arrive with an access token from another app? If that happened we'd still like him processed as anonymous user. Aah, but if access tokens are specific to a host/port - then that wouldn't happen.

[thevahidal]

No need to worry about that scenario — we store the access token in an HttpOnly cookie, and browsers only send cookies for the domain and path that set them. So tokens from other apps won’t be sent to our backend.

The only case where the anonymous fallback applies is when no token is present, keeping everything secure.

[IanMayo]

No need to worry about that scenario

That's great - thanks @thevahidal

Note: while my users will get immediate value from the FK sort working, this capability is a more theoretical one - part of me imagining what a fully rounded capability soul-cli should provide.