context.user through middlewareConfigFn
I’ve created an API that uses multer to upload a file via the middlewareConfig, but I’d like to make use of auth to prevent unauthorized access to the route. Context.user returns undefined even when the API is called through the client. Also, even if it were to return an authorization header, how do I prevent the file from uploading before it it reaches the (!contex.user) if statement? I’ve read through the docs, but there is nothing too detailed regarding the use of auth through APIs declared in main.wasp.
9 Replies
You can set
auth field in API declaration in wasp to true, so it will check for jwt token and put it iin context.user.
You can also call it from client via @wasp/api, which will make sure to set jwt token if user is logged in.
Stopping upload sooner - could you share a bit of details on how upload happens? So it happens earlier, before that check? Could you share your code for the midleware?Thank you for your help. My code looks something like:
export const uploadVideoMiddlewareFn: MiddlewareConfigFn = (middlewareConfig) => {
middlewareConfig.set(“context”, authMiddleware);
middlewareConfig.set(“multer”, upload.single(“file”)
}
However, authMiddleware only receives req res and next as arguments. If I use context.user in the actual api function, the file would have already be uploaded since it has passed through the middleware.
Also, if I use api.post in the client, I’m having issues with cors preventing me from uploading the file. However, if i change it to fetch I can upload the file, but context.user is undefined.
Thanks for explaining @simplestake !
I am traveling today, so I can't properly try out stuff, instead I will share some ideas off the bat, and then tomorrow I can take some time to try it out myself and help you find a solution.
As for quick thoughts:
- I should double check, but I believe authMiddleware sets user in the
request object, most likely in request.user. Later it is picked up from there and put into context for the action. This means you can add your own custom midleware function right after middlewareConfig.set('auth', authMiddleware) that checks req.user (I would console.log req to confirm this) and then performs auth check based on that.
As I said, I can't test this a the moment but it should work.
- cors - post is a type of request that needs preflight request (option request) so you will want to properly set cors for OPTION also, not just POST, and your best bet is probably via apiNamespace feature.
Sorry for the trouble you are having here, midleware configuration is relatively new and we could certainly improve docs / DX around it - I will try to also learn as much as I can from this interaction so we improve it!
Btw most Wasp users don't upload stuff to server, but to external services like S3 - it is simpler to implement + doesn't put unnecessary strain on the server. Is there a specific reason why you are doing it directly?Good luck on your trip! I got it to work using the apiNamespace feature and the Authorization header. Thanks again for your help!
Wohooo @simplestake, you just became a Waspeteer level 1!
@simplestake great, very glad to hear that!
Do you mind sharing some code here, of how you did it via apiNamespace feature? Also, how did you use Authorization header -> did you parse it directly? It could help us find a way to possibly improve this for future Waspeteers :D.
Yes, the authorization header is parsed and verified using jwt.verify (the secret key is "DEVJWTSECRET" for the dev env).
As you suggested, the apiNamespace feature was used to correct the cors issues I was having. In the middleware, cors is configured first, then the authorization, and the file is then uploaded via multer.
If you have any questions let me know. I'd be happy to share more details. Thanks again.
Thanks for sharing! How is it that you had to parse the auth header yourself though -> trying to get user from
req didn't work?
If you could throw in a couple of code snippets here that would be awesome!I didn’t find user in the request, so the next best thing was parsing the header myself. I don’t think user is included in the middleware req.