IMO it depends on how the API works. Most REST APIs are stateless and the
authentication token or api key is sent in each request, there is no
login/logout operation. In this case you can setup a before filter and check
the authentication token in the filter. If you use normal form based login
then using http sessions is the way to go. You can check the session
attribute in a before filter similarly, and redirect the user to the login
page if there is no session info.
Teapot on
before: '/secure/*' -> [:req |
req session
attributeAt: #user
ifAbsent: [req abort: (TeaResponse redirect location:
'/loginpage')]];
GET: '/loginpage' -> ...show login form...
GET: '/secure' -> 'protected';
start.
You should clean the session when the user logs out manually. As far as I
know ZnServer automatically cleans up inactive sessions after a while, so
there is no need to worry about cleanup.
--
View this message in context:
http://forum.world.st/Teapot-Managing-authentication-by-a-third-party-Fossil-tp4950560p4950653.html
Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com.
