scopes for custom authenticator

[ryanhungate]

Hey Jason,
If I wanted to :

1. use the logged in user to automatically set the api user ( I know how to use the custom auth function )
2. possibly restrict access to certain api paths / resources etc

how would you go about this?

[gabrielkoerich]

I've sent a pull request for your first issue.

For now you can change the api config to use that auth provider. See #48 and https://github.com/dingo/api/wiki/Authentication#custom-authentication-providers.

[ryanhungate]

yeah honestly that's the easy part - i have something very similar to your auth provider, but im trying to see if there is some fancy way to set permissions for a group or something based on route names or something... just dont want to get all crazy with it, but I know it's needed

[gabrielkoerich]

Sure! Im my case i'm protecting certain routes based on a permission table. All permissions values are named as route.action (eg. user.index, user.store, user.delete) and I use a filter to evaluate that. Not sure if it is the best way.

[ryanhungate]

so maybe add a ( groups ) row to that table, and use a csv or a * for any group ( defaulted to * )
add a ( api_users_groups ) table with rows : user_id and group
if the route has * or a match for any of the records on the api_users_groups table - it passes.

Sounds easy enough I guess, but I may want to do this with an array instead.