Shouldn't anonymousScopes be anonymousGrants?
rafasofizada opened this issue · comments
I was reading through the code, to understand what grants/scopes/rights are (as I, personally, didn't understand that well from the documentation) and the working principle of the library.
I saw a case of variable naming, which, to me, seems inconsistent, and caused me to scratch my head for a while.
export interface HttpAuthnOptions<TIdentifiedBill extends IdentifiedBillBase> {
...
/**
* The set of scopes to grant to an anonymous identity.
*/
anonymousScopes: ReadonlyArray<string>;
...
}
Why are scopes granted to a user? As far as I understood, grants are set by / on behalf of the user, scopes are set on controllers/handlers. On each request, scopes are first verified against grants, then against rights. The "scopes" granted to an anonymous user will be verified against, again, scopes, obtained from request controllers/handlers. Shouldn't it be anonymous user's grants that are verified against the scopes?
To further prove my point, example directly from your code:
return new AnonymousBill(this.options.authn.anonymousScopes);
and then in AnonymousBill constructor:
export class AnonymousBill implements IdentityBill {
constructor(readonly grants: ReadonlyArray<string>) {}
^^^^^^
...
}
By the way, thanks Ed for such an amazing little library! Its genius and fits so well in my use case' requirements. The code is beautiful; documentation could've been better, but I'm planning on making a pull request, adding comments to the code and enhancing the documentation. Thank you for your work, the service you're doing to Nest.js ecosystem is huge!
Hey - sorry, I never saw this! But you are absolutely correct. I am coming back to this stuff lately (I've been away from NestJS for some personal reasons) but yeah, this library needs some love and this is a great example of it.