Giters

pressly / saml

SAML provides tools for SAML based single sign-on in Go

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Proposal: Can we get rid of word "Middleware"?

VojtechVitek opened this issue · comments

commented

I find using word "Middleware" very misleading in the context of this package, ie.:

middleware := sp.NewMiddleware(&serviceProvider)

middleware := idp.NewMiddleware(&identityProvider)

Both objects are not "middlewares" in my opinion. Instead, they provide end handlers,
ie. middleware.ServeMetadata.

I think of "middleware" as of onion pattern that wraps the http.Handler, see https://github.com/go-chi/chi#middleware-handlers.

Can we get rid of word "Middleware"?

How about this:

	r := chi.NewRouter()

	sp := saml.ServiceProvider{
		CertFile: *flagPubCert,
		KeyFile:  *flagPrivKey,

		IdPMetadataURL: *flagMetadataURL,

		MetadataURL: *flagPublicURL + metadataPath,
		AcsURL:      *flagPublicURL + acsPath,

		SecurityOpts: saml.SecurityOpts{
			AllowSelfSignedCert: true,
		},
	}

	r.Get("/metadata.xml", sp.MetadataHandler)
	r.Post("/acs", sp.ACSHandler))
commented

Seems like

func (m *Middleware) ServeAcs(grantFn AccessFunction) func(http.ResponseWriter, *http.Request)

is actually a form of HTTP middleware, since it calls custom (user-defined) end-handler grantFn of the following signature:

type AccessFunction func(*saml.Assertion) func(http.ResponseWriter, *http.Request)

Imho, we should simplify this somehow. How about:

// ParseAssertion is a middleware that parses the SAML assertion
// Stores Assertion into request context
r.With(sp.ParseAssertion).Post("/acs",  HandleAssertion))

// Custom handler for a given Assertion.
func HandleAssertion(w http.ResponseWriter, r *http.Request) {
   assertion := saml.GetAssertion(r.Context()) // gets Assertion from request context

   // .... the actual code that processes the SAML assertion
}
commented

Good points and great suggestions, see: #3

commented

Closed by #3