Help: how to allow a local administrator to bypass?

Question

Help: how to allow a local administrator to bypass?

yatesco opened this issue 4 years ago · comments

Our software ships with a magic administrator user who can do all things everywhere. Users who register via OAuth2 need to be accepted and mapped to internal permissions before they can actually log on.

Do you have any suggestions (other than "magic user? Urgh!") on how to accomplish this? Essentially I want to have a handler for all URLs which:

(defn- ensure-authentication [req]
  (if (magic-user-authenticated? req) continue...)
       (forward-to-oauth2 req)))

If it was only a case of a magic user being able to access a subset of the system then I can see how to do that, but to allow them to access the entirety of the existing system...?

Help :-)

James Reeves · Answer 1 · Wed Jan 29 2020 00:05:59 GMT+0800 (China Standard Time)

I'm not sure I understand the problem. I don't understand what's stopping you from just not using the oauth2 middleware in the case of that particular user.

Colin Yates · Answer 2 · Wed Jan 29 2020 00:07:25 GMT+0800 (China Standard Time)

I think I assumed that this lib also forces authentication for the URLs so I couldn't see how to teach it to understand non-OAuth2 authentication. My bad :-). Closing.