Split session

[klaidliadon]

Split session and verify middleware.

JWT Auth is created by an interface, which has two implementations:

• Static: replaces the existing fixed secret
• Project dependent: allows to return a different JWT Auth depending on the Project.

[david-littlefarmer]

Do i understand it right, that on every request we create new JWT verifier and check the token against it?

If so, then why not to predefine them for exmaple in array and just try to iterate through them, until the one of them is successful since the private and/or public keys are defined on startup of server.

Also can you please describe some simple flow of verifier? I find it confusing.

[VojtechVitek]

Great, this is getting better!

[VojtechVitek]

I feel like we could split Options struct into two types -- one for Verifier and one for Sessions.

[VojtechVitek]

Imho, this middleware needs nothing but JWTSecret and ErrHandler. It should always verify HS256 JWT from both Authorization header and Cookie.

I don't see the need for AuthProvider interface. Is it useful for anything else? I think it just locks us down to this implementation -- switching algorithms, jwks or supporting secret rotation or multiple algorithms would be more difficult.

[VojtechVitek]

Imho, stack/api's ProjectJWTVerifier should be a a separate implementation that doesn't have anything in common with this Verifier except for passing the token into context via ctx = jwtauth.NewContext(ctx, token, nil)

[VojtechVitek]

Session needs ErrorHandler, UserStore and a way to fetch AccessKey.

[VojtechVitek]

Suggested change

	name = auth-control
	name = authcontrol