access token handler is now a pass through handler, it no longer retu…

[jdslavin]

…rns a 401 error when the access token is invalid or missing, it just calls the next handler with no user on the request

[Pancia]

This doesn't seem right, wouldn't you always be returning false if there's no invalid-token-handler?
Also wouldn't it not even use that return value, but always call (handler request)?

[jdslavin]

All it does now is pass through the handler chain, when we do not have a valid token, without the user will be associated with the request. This is what we discussed with Tony. This puts control into the actual code that cares about authorization to look for the user and do the right things based on that.

[awkay]

Is everyone ok with this PR? @Pancia @jdslavin ?

[awkay]

I might need you guys to resolve conflicts...I merged @Pancia branch first

[Pancia]

I'm not sure if I want to merge this just yet, I might just prefer to create/use untangled-auth once it's ready instead of having auth/openid things in untangled-server.

But I can merge this now if that'd be best, but I'm not sure I really want to have to upgrade other apps that use this so soon after refactoring a big part of the server code.

[awkay]

ok, well let me know

[jdslavin]

I created https://github.com/jdslavin/untangled-openid that has the mock openid server and the openid connet middleware. I still need to do some docs but wanted to get that up there. If we remove these components from untangled-server we can drop this pull request

[awkay]

I'm game for a new repo. If it's ready to pull in, then I can create a repo for you to push to.

[Pancia]

Is the intent for it to be untangled-openid or untangled-auth?
I would prefer it to be generic, but I can be persuaded either way.

I would also recommend we pull code from untangled-server & this branch, as I've done a few changes to the server code, eg: jeff's untangled-openid still uses set-*-hook.

[Pancia]

ready for merging once CI tests pass