How do I validate an established session using the shelf_auth library?

Question

I've been trying to write a simple server that accepts username/password credentials, validates them, then creates a JWT token for the client that they then use to gain access to certain routes. I am able to do everything up to the point of receiving and validating the client's JWT on the server side.

void main() {
//use Jwt based sessions and create the secret using a UUID
JwtSessionHandler sessionHandler = 
    new JwtSessionHandler('ffl_sales_server', new Uuid().v4(), 
    auth.lookupByUsername);

  //allow http for testing with curl, do not use in production
  bool allowHttp = true;

  final Map<String, String> headers = 
    {'Access-Control-Allow-Origin': 'http://192.168.100.83:3030',
     "Access-Control-Expose-Headers": "Authorization",
     "Access-Control-Allow-Credentials" : "true",
     "Access-Control-Allow-Headers" : "Authorization"};

  //fix the cors headers 
  Response options(Request request) => (request.method == 'OPTIONS') ?
      new Response.ok(null, headers: headers) : null;
  Response cors(Response response) => 
      response.change(headers: headers);
  Middleware fixCors = createMiddleware(requestHandler: options, 
      responseHandler: cors);

  // authentication middleware for a login handler (post)
  Middleware loginMiddleware = authenticate(
      [new UsernamePasswordAuthenticator(lookupByUsernamePassword)],
      sessionHandler: sessionHandler, allowHttp: allowHttp, 
      allowAnonymousAccess: false);

  // authentication middleware for routes other than login that 
  // require a logged in user
  // here we are relying solely on users with a session established  
  // via the login route
  Middleware defaultAuthMiddleware = authenticate(
      [],sessionHandler: sessionHandler, allowHttp: true, 
      allowAnonymousAccess: false);

  Router rootRouter = router(handlerAdapter: handlerAdapter()); 

  //the route where the login credentials are posted
  rootRouter.post('/login', (Request request) => new Response.ok('SUCCESS'), middleware: loginMiddleware);

  //the routes which require an authenticated user
  rootRouter.child('/authenticated', 
      middleware: defaultAuthMiddleware)
    ..add('/users', ALL_METHODS, new Users(_connection).handle)
    ..add('/stores', ALL_METHODS, new Stores(_connection).handle)
    ..add('/departments', ALL_METHODS, new Departments(_connection).handle)
    ..add('/invoices', ALL_METHODS, new Invoices(_connection).handle)
    ..add('/reports', ALL_METHODS, new Reports(_connection).handle)
    ..add('/imports', ALL_METHODS, new Imports(_connection).handle)
    ..add('/vendors', ALL_METHODS, new Vendors(_connection).handle)
    ..get('/foo', (Request request) => 
         new Response.ok("Doing foo as ${loggedInUsername(request)}\n"));

  printRoutes(rootRouter);

  Handler handler = const Pipeline()
      .addMiddleware(fixCors)
      .addMiddleware(logRequests())
      .addMiddleware(exceptionResponse())
      .addHandler(rootRouter.handler);

  shelf_io.serve(handler, '127.0.0.1', '8080').then((server){
    print('Serving as http://${server.address.host}:${server.port}');
  });
}

I know I'm probably missing something simple, but it seems like I should have some sort of handler in the first parameter of the authenticate() function that creates the defaultAuthMiddleware. What am I missing?

Answer 1

It looks like the issue was in my Auth class. The lookupByUsername function was simply not finding the authenticated user because the lookupByUsernamePassword function was storing it in function scope instead of class scope due to an oversight on my part.

Thanks for the help!

Answer 2

I think you need to pass the sessionMiddleware to the other routes like

 ..add('/invoices', ALL_METHODS, new Invoices(_connection).handle, 
     middleware: defaultAuthMiddleware)

Maybe there is a better way but this is the main difference I found to my setup which works fine.