These are chat archives for waterlock/waterlock

7th
Oct 2015
Chris LeBlanc
@spacesuitdiver
Oct 07 2015 02:31
I'm new to Sails but one of my hopes is to get JWT auth going for my API. I don't need sessions as mentioned above so waterlock seems perfect. What has me a little concerned though is it doesn't seem to compliment the sails-permissions module and it also doesn't use passport thus limiting some of the authentication methods possible. I'm also having a little trouble understanding the flow, should/could I use waterlock to generate the JWT and then sails-auth+sails-permissions along with the passport-jwt strategy? Thanks!
Chris LeBlanc
@spacesuitdiver
Oct 07 2015 02:51
Also, on a slightly related note, is there anything in particular added to the JWT payload besides a userid (I'm guessing)? Maybe it be possible/best to replicate a subset of the sails-permissions (I'm thinking just store the role) within the jwt token payload?
Wayne Douglas
@wayne-o
Oct 07 2015 08:12
I'll have a look into this. JWT supports roles so there must be a graceful way to hook it all up
Wayne Douglas
@wayne-o
Oct 07 2015 09:11
@LeBlaaanc - OK had a quick skim through their API and I don't think they are doing anything too funky - I'll get a setup running and have a more thorough look later - I suspect adding a policy is all it will take but will need to spike some code to know for sure. Thanks for the suggestion - this is something I will be needing down the line so it's very much in my interest to get this sorted :)
Chris LeBlanc
@spacesuitdiver
Oct 07 2015 17:53
@wayne-o - thanks... any thoughts on the "flow" question I had, sorry if this is a bit out of scope of waterlock and more generalized auth discussion. what was the thought behind not using passport in waterlock? maybe that would help me understand.
Wayne Douglas
@wayne-o
Oct 07 2015 19:03
On commute so apologies for rushed response. Basically waterlock is JWT, JWT is session less, passport relies on sessions.
Chris LeBlanc
@spacesuitdiver
Oct 07 2015 22:48
I see. Looking into this further though it still seems Waterlock using sessions to provide access to the JWT. Is there any reason not to just have /auth/login return the token on success?