You can use the magic of XQuery closures to only write that if once as here in the role-check function:
(:~ : return all users as json if this session is for admin :) declare %rest:GET %rest:path("cellar/api/users") %output:method("json") function users() { web:role-check("admin",function(){ <json arrays="json" objects="user"> {for $u in db:open('cellar',"users.xml")/users/user return <user> <id>{$u/@id/fn:string()}</id> <name>{$u/@name/fn:string()}</name> </user>} </json>} )}; (:~ : execute function fn if session has logged in user with matching role, else 401 :) declare function role-check($role as xs:string,$fn){ let $uid:=session:get("uid") return if($uid) and ..checkrole here... then $fn() else http-auth("Whizz apb auth",()) }; (:~ : REST created http://restpatterns.org/HTTP_Status_Codes/401_-_Unauthorized :) declare function http-auth($auth-scheme,$response){ ( <rest:response> <http:response status="401" > <http:header name="WWW-Authenticate" value="{$auth-scheme}"/> </http:response> </rest:response>, $response ) }; Looks a lot like node.js ;-) /Andy On Thu, Nov 15, 2012 at 1:37 PM, Christian Grün <christian.gr...@gmail.com>wrote: > Hi Daniel, > > you may be interested to hear that we already has some first thoughts > on extending the RESTXQ API with an authentication module. As you > indicated, those "if" constructs are the current way to go. While it > works fine in practice, I agree it’s not the way it should be. The > reasons why we didn’t choose a solution yet is that.. > > -- we didn’t have enough time to put more focus on that issue > > -- we didn’t want to restrict ourselves to the uses cases we’re > currently aware of > > Maybe we should start off with a little spec describing what the %auth > annotations should look like, where the authentication functionality > will be located, and how we can ensure that also protocols like OAuth > can be supported. As soon as we have specified the basics, the > implementation shouldn’t cause too much headache. If you have some > concrete ideas, your input is more than welcome! > > In the end, I’d like to get the enhancement into the work-in-progress > RESTXQ draft (the exquery GitHub issue tracker is probably the best > platform to discuss such extensions and propose extensions [1]). This > is why I cc'ed this mail to Adam Retter.. > > Christian > > [1] https://github.com/exquery/exquery/issues > ___________________________ > > On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička > <daniel.kvasni...@me.com> wrote: > > Hi folks, > > > > I'd like to write an app using RESTXQ and I'd like to auth users using a > regular form-based authentication and then on some XQuery functions check > for an existing user session (and possibly user roles). I'd also like to > add some social media login using OAuth (later). > > My question is - is it somehow possible to do this in a declarative way? > For example custom annotations on XQuery handlers? Something like > %auth:roles-allowed("admin") > > I definetly don't want to "if" at the beginning of every function that > should be protected. No problem with implementing this in Java or XQuery. > Just tell me how to approach this orthogonal concern in a reasonable way... > > Or should I equal app users to BaseX users and leverage Basex auth? > > > > Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a > good tool for that). > > > > Daniel > > > > -- > > danielkvasnicka.net > > > > _______________________________________________ > > BaseX-Talk mailing list > > BaseX-Talk@mailman.uni-konstanz.de > > https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk > _______________________________________________ > BaseX-Talk mailing list > BaseX-Talk@mailman.uni-konstanz.de > https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk >
_______________________________________________ BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk