Seperate authorization to different routes #21
Comments
|
Hey @GeorgeTsagk Thanks for filing this issue and so sorry for the delay. Not sure why I never got an email from GitHub. In any case, the most straightforward solution that comes to mind with the given setup would be to create a custom config that checks on a per path basis. A pre-built one comes with boltwall that is going to be similar to what you need, the This seems like a very useful caveat config to have actually. If you end up doing something like this, let me know as I'd be happy to consider adding it to the built in configs available with the library. And if you have any questions about how the caveats work, don't hesitate to reach back out. I'll make sure GH is sending me emails form now on! |
|
Hey @bucko13 , thanks for commenting back. I will eventually implement this caveat, and I shall also comment again once that is done. |
|
Hey @bucko13, alluding to your comment above, the I'm wondering if there's a way is to adjust the 'minAmount' based on the request, without instantiating a unique config for each possible request. For example: |
|
So, The idea in boltwall is that the client can actually be the one that says how much it wants to pay. This may seem counter-intuitive, but when you tie this to the caveats in the LSAT it can be quite powerful: the request indicates how much the client wants to pay, and the caveats can restrict access based on how much they decided. With the caveat you can create access restrictions based on how much the client offered to pay without having to determine a fixed amount. So for example, if you have a time-based system with access for 1 minute per 100 sats, if the client asks for an invoice to pay 1000, boltwall can create an LSAT caveat that expires in 10 minutes. This is essentially what the built-in time config does here. If you wanted to create a system where the user or client didn't have to make any decisions about the amount, and you wanted this all to happen on the server, you could create a middleware that's before boltwall that sets the So, that would look something like this: app.use((req, res, next) => {
if (req.query.id === 1) req.query.amount = 5
else if (req.query.id === 2) req.query.amount = 10
next()
})
app.use(boltwall())The above is very rough and you might want to do different customizations for sub paths or something, but hopefully that helps give you an idea. As you can see, this check doesn't actually have to interact with boltwall at all. If all you want to do is only allow access if an invoice of a certain amount is paid, then you don't actually need a special caveat; the LSAT will be valid if the invoice created was paid and invalid if it wasn't. If you wanted to tie other conditions on it, like time, then you can add that via the configs. Hope that helps! |
|
Thank you @bucko13! Definitely gives some good direction. I’ll play around with this today. |
|
Opened a PR to address this feature: #28 |
Current implementation has a global perception of authorizing a client.
E.g. After I pay the invoice I can provide the
Authorizationheader and access a protected resource, but this same header will allow me to pass through any other protected route. There is no differentiation between which resources this specific header can access.I have tried defining different boltwall middleware instances like this
but it doesn't seem to get the job done as paying the
/downloadendpoint will also grant me access to the/uploadendpointIs there a way to provide access to specific routes and not to the whole API?
The text was updated successfully, but these errors were encountered: