You can use the magic of XQuery closures to only write that if once as here
in the role-check function:
(:~
: return all users as json if this session is for admin
:)
declare
%rest:GET %rest:path("cellar/api/users")
%output:method("json")
function users() {
web:role-check("admin",function(){
<json arrays="json" objects="user">
{for $u in db:open('cellar',"users.xml")/users/user
return <user>
<id>{$u/@id/fn:string()}</id>
<name>{$u/@name/fn:string()}</name>
</user>}
</json>}
)};
(:~
: execute function fn if session has logged in user with matching role,
else 401
:)
declare function role-check($role as xs:string,$fn){
let $uid:=session:get("uid")
return if($uid) and ..checkrole here... then
$fn()
else http-auth("Whizz apb auth",())
};
(:~
: REST created http://restpatterns.org/HTTP_Status_Codes/401_-_Unauthorized
:)
declare function http-auth($auth-scheme,$response){
(
<rest:response>
<http:response status="401" >
<http:header name="WWW-Authenticate" value="{$auth-scheme}"/>
</http:response>
</rest:response>,
$response
)
};
Looks a lot like node.js ;-)
/Andy
On Thu, Nov 15, 2012 at 1:37 PM, Christian Grün
<christian.gr...@gmail.com>wrote:
> Hi Daniel,
>
> you may be interested to hear that we already has some first thoughts
> on extending the RESTXQ API with an authentication module. As you
> indicated, those "if" constructs are the current way to go. While it
> works fine in practice, I agree it’s not the way it should be. The
> reasons why we didn’t choose a solution yet is that..
>
> -- we didn’t have enough time to put more focus on that issue
>
> -- we didn’t want to restrict ourselves to the uses cases we’re
> currently aware of
>
> Maybe we should start off with a little spec describing what the %auth
> annotations should look like, where the authentication functionality
> will be located, and how we can ensure that also protocols like OAuth
> can be supported. As soon as we have specified the basics, the
> implementation shouldn’t cause too much headache. If you have some
> concrete ideas, your input is more than welcome!
>
> In the end, I’d like to get the enhancement into the work-in-progress
> RESTXQ draft (the exquery GitHub issue tracker is probably the best
> platform to discuss such extensions and propose extensions [1]). This
> is why I cc'ed this mail to Adam Retter..
>
> Christian
>
> [1] https://github.com/exquery/exquery/issues
> ___________________________
>
> On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička
> <daniel.kvasni...@me.com> wrote:
> > Hi folks,
> >
> > I'd like to write an app using RESTXQ and I'd like to auth users using a
> regular form-based authentication and then on some XQuery functions check
> for an existing user session (and possibly user roles). I'd also like to
> add some social media login using OAuth (later).
> > My question is - is it somehow possible to do this in a declarative way?
> For example custom annotations on XQuery handlers? Something like
> %auth:roles-allowed("admin")
> > I definetly don't want to "if" at the beginning of every function that
> should be protected. No problem with implementing this in Java or XQuery.
> Just tell me how to approach this orthogonal concern in a reasonable way...
> > Or should I equal app users to BaseX users and leverage Basex auth?
> >
> > Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a
> good tool for that).
> >
> > Daniel
> >
> > --
> > danielkvasnicka.net
> >
> > _______________________________________________
> > BaseX-Talk mailing list
> > BaseX-Talk@mailman.uni-konstanz.de
> > https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
> _______________________________________________
> BaseX-Talk mailing list
> BaseX-Talk@mailman.uni-konstanz.de
> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
>
_______________________________________________
BaseX-Talk mailing list
BaseX-Talk@mailman.uni-konstanz.de
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
