Custom authentication for REST client

Question

We are looking to take an approach where there are service accounts in MarkLogic, but not accounts for all actual users. We would use a custom authentication token, JSWT in this case, and then via xdmp:login, elevate the calling user to the appropriate roles.

This is all fine if we create a custom HTTP server with our own rewriter to our modules. If we want to leverage the already built out REST API, is the only option to essentially create a wrapper around each of the XQuery modules that get dispatched to from the REST rewriter, in order to call the xdmp:login flow prior to fulfilling the rest of the REST api workflow? I did not see any way with the enhanced HTTP rewriter configuration to run arbitrary XQuery code before the dispatch flow.

Is this a feasible idea, or just a bad idea?

Answer 1

Best practice with the REST API is to use a middle tier. Exposing the REST API directly to your end users is analogous to doing so with an ODBC connection -- something you generally wouldn't do.

My suggestion is to set up a middle tier and use that gather credentials, then login as needed.

Answer 2

You can modify the out-of-the-box REST API endpoints to perform an xdmp:login, but of course that creates complexity when performing an upgrade, and when deploying an app. That's really a worst-case scenario.

Are you able to map all of your users to a much smaller set of ML users, perhaps on the order of dozens? Then a middle tier can do something similar to xdmp:login - it can look at the user's profile and determine which ML user to connect to ML with. That's not quite as flexible as xdmp:login, which lets you pick any roles you want without creating a user as a holder for them, but it may do the trick.