how is @Authorize meant to work?

[VictoriqueMoe]

I have an issue.

It seems no matter what protocol is supplied into @Authorize, the route will ALWAYS work as long as there as active session, even if the suppplied protocol is not bound to sessions (say, basic.)

given the following route:

@Controller("/bucket")
@Hidden()
export class BucketView {
    public constructor(@Inject() private bucketService: BucketService) {}

    @Get()
    @View("/secure/files.ejs")
    @Authorize("basic")
    public async showBucketPage(@Req() req: Request): Promise<unknown> {
        const bucket = await this.bucketService.getBucket();
        return {
            user: req.user as CustomUserInfoModel,
            bucket,
        };
    }
}

and the following protocol:

@Protocol({
    name: "basic",
    useStrategy: BasicStrategy,
})
export class BasicProtocol implements OnVerify {
    public constructor(@Inject() private usersService: UserService) {}

    public async $onVerify(@Arg(0) email: string, @Arg(1) password: string): Promise<UserModel | false> {
        const user = await this.usersService.getUser(email, password);
        if (!user) {
            return false;
        }
        return user;
    }
}

If i have no active session. then it works as epected (asks for user/password).

However, lets say i have a cookie based login session using express-session:

 this.app.use(
                session({
                    secret: this.sessionKey,
                    resave: false,
                    store: new TypeormStore({
                        cleanupLimit: 2,
                    }).connect(this.ds.getRepository(SessionModel)),
                    saveUninitialized: false,
                    cookie: {
                        path: "/",
                        httpOnly: true,
                        maxAge: 86400000,
                        secure: this.https === "true",
                        sameSite: "strict",
                    },
                }),
            );

and a protocol for session login:

@Protocol<IStrategyOptions>({
    name: "loginAuthProvider",
    useStrategy: Strategy,
    settings: {
        session: true,
        usernameField: "email",
        passwordField: "password",
    },
})
export class LoginLocalProtocol implements OnVerify {
    public constructor(@Inject() private usersService: UserService) {}

    public async $onVerify(@BodyParams() credentials: UserModel): Promise<UserModel | false> {
        const { email, password } = credentials;
        const user = await this.usersService.getUser(email, password);
        if (!user) {
            return false;
        }
        return user;
    }
}

and a login handler:

    @Post("/login")
    @UseBefore(CaptchaMiddleWare)
    @Authenticate("loginAuthProvider", { failWithError: true })
    @Returns(StatusCodes.MOVED_TEMPORARILY)
    @Returns(StatusCodes.UNAUTHORIZED)
    public login(@Res() res: Response): void {
        res.redirect("/admin");
    }

As soon as you login via the /login handler and a session is made. the showBucketPage route above will be called, and be authorised and will not call the basic protocl.

this is an issue for applications that require multiple authentication protols.

How is @Authorize meant to work exactly, i assume OnVerify on the supplied protocol is not called for every single time the endpoint is hit. so how does the code know when to call the protocoll verify and whe not to when a route is decorated with @Authorize?

thanks,
VIctoria

[VictoriqueMoe]

I solved this using @Session