New hook after route has been found but before it's been evaluated #946
Labels
difficulty: intermediate
Enterprising community members could help
effort: low
< 1 day of work
help wanted
Solution is well-specified enough that any community member could fix
theme: middleware
Only execute endpoint specific code
Comments
|
So this is a solution works with today's code given the matching route. (I'd like to have Adjusted the code above so that it can run. Added a auth <- function(req, res) {
message("Checking token for ", req$PATH_INFO)
# is_valid <- expensive_token_checking(...)
is_valid <- TRUE
if (!is_valid) {
res$status <- 401
return(list(error = "Invalid token"))
} else {
plumber::forward()
}
}
#* @get /foo
function(req, res) {
"foo!"
}
#* @get /bar
function(req, res) {
"bar!"
}
#' @plumber
function(pr) {
# Add a preexec hook to all routes that should use `auth`
lapply(pr$routes, function(route) {
route$registerHook("preexec", auth)
})
pr
}Looking at the logs in the server after I go to After visiting It's not a crazy idea to add a new
hooks = list(
preexec = list(),
postexec = list(),
aroundexec = list()
)The hooks could then be registered after the endpoint is created near Line 291 in 56a6949 # untested
Map(
names(hooks),
hooks,
f = function(hook_name, hook_arr) {
lapply(hook_arr, function(hook) {
ep$registerHook(hook_name, hook)
})
}
) |
schloerke
added
difficulty: intermediate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
My R application is a microservice that calls a larger service to authenticate requests. I need to do this for every request so that only authorized users are able to use my service. I currently have it implemented something like this:
This works as expected, however, bots are attempting to scan my service looking for common vulnerabilities which means I have spikes of traffic looking for generic routes like
/.htaccess. The issue here is that for requests which do not have a matching route, I don't want to waste my server's resources. I'd like to greedily return a 404 without needing to perform the expensive action of checking the token.As currently implemented, these requests make it to my middleware even though the are invalid. Even if they had valid tokens, they would make it through my middleware and then receive a 404 from plumber.
Attempted solution
I tried to solve this with hooks. I tried to move my middleware into a hook that way I could leverage plumber's validation of the request while also being able to define reusable code that rejects unauthorized requests, but it appears that neither
prerouteorpostroutehooks work as I need them to.The
preroutehook seems to evaluate before the request has found the endpoint that can handle it (which makes sense), andpostrouteappears to run after the code inside my route has executed. So neither really work for me. I need some way to execute code after plumber has validated that the verb + route combo is valid and before my route has actually executed.Proposed solution
I might be misunderstanding what
postrouteis supposed to do. I would have expected it to intervene in the exact moment I needed it to and then I would usepostserializeto execute code after my route, but ideally there would be a new kind of hook introduce that allowed me to hook into the point in the execution I need to leverage. Perhapspostvalidationorpostroutefound? Those aren't great names, but just off the top of my head.If I am misunderstanding hooks and there is a way to achieve exactly what I want to, I apologize. The conclusions I wrote above are from adding logging into each possible hook and a test route to check the order they execute.
The text was updated successfully, but these errors were encountered: