Run middleware between extractor and handler?

[xldenis]

Summary

Is there any way I can run a middleware between the execution of extractors and the handler body?

My use case is the following: I have several authentication methods available as extractors, with each route using a single predetermined method. I wanted to make a middleware that would check that all of the requests are using one of the authentication methods since its easy to forget an extractor. My idea was that each authentication extractor would register an extension that the middleware would check for presence, but I haven't been able to get the middleware to run at the correct moment.

I'm hoping for a solution that would allow me to keep the two separate auth extractors rather than having a combined enum extractor. My suspicion is that this is not possible, but curious if I missed a trick.

axum version

v0.7.9

[jplatte]

No, this is not possible.

[mladedav]

Strictly speaking, no.

But, to kind of achieve something like what you're describing, the middleware could insert an extension containing a oneshot channel sender and then the authentication extractor could take this extension and send a message signalling that authentication was attempted. Then when the handler finishes, the middleware can check that it received the message and if not, discard the response and return 500.

It's not optimal since even if there's no authentication, you're still running the handler and all other middlewares. And the middleware can't tell if the handler did not have an auth extractor or if another middleware in the stack returned an error directly, or maybe a handler that ran before auth has failed and created an error response.

Having a middleware handle the authentication in the first place might be a better solution I think. If you need to get some information out of it like a username or something, it can then pass that to the handler through extensions.

The issue with having multiple different predetermined auth methods could be worked around by creating a Router per auth method, each having its own auth middleware and then merging the Routers into one. But this could look weird as you're arbitrarily splitting the routes by a technical detail and may not scale with other needs like nesting.

[xldenis]

Yea, there are definitely work arounds, just none that satisfy my aesthetic itches.

Having a middleware handle the authentication in the first place might be a better solution I think. If you need to get some information out of it like a username or something, it can then pass that to the handler through extensions.

That's what I currently do, but with multiple middlewares. I think in the end if I want to unify these approaches the cleanest thing would be to have a single middleware + extractor that produces an enum of the different authentication methods and perform a secondary permissions check in each route.

I wonder if I can somehow restrict the type of handlers to ones that include a specific extractor? Again, seems doubtful given the typing of Axum.

[mladedav]

Yeah, I was also thinking of type checking it, you could wrap the Router and then accept a custom Handler-like trait which could work the same way except the first extractor would have to be one of your auth types.

I'm not sure it's worth it though.