Fork me on GitHub
#duct
<
2020-01-27
>
Kira McLean17:01:50

Hello! I have a question about serving static files in my duct app. We’d like for some files to pass through our authentication middleware but not others, depending on a route param. For example, I want all requests for a static file at downloads/live/:an-id/:a-file-name to be handled normally, but all requests for downloads/:an-id/:another-id/:a-file-name to also be authenticated (and of course only serve the file if the user is authenticated). We are using ataraxy, so my question is whether it is possible to set this up with config. I’m under the impression that it’s not because 1) ataraxy routes are not ordered and 2) regexes are not valid edn, so I can’t ensure the live route gets checked first, and I can’t configure the admin middleware to be applied only to routes that match a certain pattern (we don’t know all the possible ids for these downloads ahead of time). But, I’m not familiar with duct or ataraxy, so wondering if there’s some way to do this with config (as opposed to needing to write a custom middleware to accomplish it). I’d appreciate any insight anyone might have about how to set this up, or just a confirmation that it’s not possible with config alone.

kelveden13:01:58

You could assign middleware on a route-by-route basis in your configuration but, given that it's auth middleware, that would presumably mean having to assign it to every route except that one "general download" route - which would be easy to forget if you then added a new route later. So probably not ideal. However, apart from that I can't see how you can avoid some sort of custom middleware. Does your auth middleware understand something like a apply-auth? flag on the request map, telling it whether to apply authentication rules? That way you could have small bit of custom middleware further up in your app that sets that flag depending on whether the routes match.

weavejester14:01:47

Ataraxy routes can be ordered by replacing a map with a list, and while regexes are not valid edn, I believe the Clojure edn reader still interprets them.

kelveden14:01:04

Could one define multiple lists of ataraxy routes and assign different middleware to each list from within the duct config.edn?

weavejester14:01:24

I think the routes would have to have different prefixes to group them…

Kira McLean14:01:54

Ok thank you for the input! We do actually have groups of ataraxy routes with different middlewares at the moment, but yeah we do it by grouping them under a prefix. Right now the auth middleware is only applied to /admin routes, your idea of checking for an apply-auth? flag on the request is interesting — that’s a different way I hadn’t thought about. Thanks!

👍 4