Improving authentication flexibility

[bonroyage]

The authentication capabilities for publishing packages are somewhat limited right now. I was looking into adding authentication through our existing infrastructure (be that fetching from a database directly or making an API request to another service), but customising the auth implementation turned out not to be as straight forward as adding a route or a plugin. I noticed however that there's the possibility of adding other methods through a package, but that proved to be a good foundation for a more flexible solution.

The way I was thinking about it is that the publishAuth.type field could accepts 2 types:

First, a string - this would cause it to work as it does now, look for a package named oc-auth-[type] and set the scheme based on that package.

// index.js

const registry = new oc.Registry({
  publishAuth: {
    type: 'ldap'
  }
});

Second, an object - this would set the scheme to the object, so that one may do type: require('./auth/mysql') and define their own validate and middleware logic.

// index.js

const registry = new oc.Registry({
  publishAuth: {
    type: require('./auth/mysql')
  }
});

// auth/mysql.js

module.exports.validate = function() { /* ... */ };
module.exports.middleware = function() { /* ... */ };

Just a quick hack of the registry/domain/authentication.js file allowed me to support this (the logic in the if statement might not be the best here):

module.exports.validate = function(authConfig) {
  if(typeof authConfig.type !== 'string') {
     scheme = authConfig.type;
  } else if (builtin[authConfig.type]) {
    scheme = builtin[authConfig.type];
  } else {
    // ... [existing implementation]
  }
  
  return scheme.validate(authConfig);
};

Any thoughts?

[ricardo-devis-agullo]

sounds good to me.