Return the matched query + variable bindings in the success type about biscuit-rust HOT 5 CLOSED

could you show an example of this use?

from biscuit-rust.

Of course: https://www.biscuitsec.org/docs/Usage/haskell/#query-data-from-the-authorizer

{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes       #-}

import Auth.Biscuit

checkBiscuit :: Biscuit -> IO Text
checkBiscuit b =
  result <- authorizeBiscuit b [authorizer| allow if user($user); |]
  case result of
    Left a  -> throwError …
    Right success ->
      case getSingleVariableValue (getBindings success) "user" of
        Just userId -> pure userId
        -- ^ this will only match if a unique user id is
        -- retrieved from the matched variables
        Nothing -> throwError …

the general idea is that the success value returned when the biscuit was authorized carries the bindings that matched the allow query. With a couple helpers, it makes it easy to get regular values. In the example, i've used helpers that only succeed if there is a unique binding for a given variable, but lower-level access is possible.

The alternative is to query the authorizer after success, with a dedicated query:

{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes       #-}

import Auth.Biscuit

checkBiscuit :: Biscuit -> IO Text
checkBiscuit b =
  result <- authorizeBiscuit b [authorizer| allow if true; |]
  case result of
    Left a  -> throwError …
    Right success ->
      case getSingleVariableValue (queryAuthorizerFacts success [query|user($user)|]) "user" of
        Just userId -> pure userId
        -- ^ this will only match if a unique user id is
        -- retrieved from the matched variables
        Nothing -> throwError …

but in many cases, it's better to run all checks in the authorizer, rather than having an extra step that can fail afterwards: if we want tokens with a defined user id, we might as well enforce it in the allow query directly.

from biscuit-rust.

I see, that would be useful. The rust library behaves differently though, it stops at the first match instead of trying them all

from biscuit-rust.

Do you mean "the first policy that matches", or "the first binding map within a policy"? (Since policies can contain several "or" clauses)

from biscuit-rust.

The first binding within a policy. If there are multiple variable combinations that a policy could match, it will stop at the first one. The goal is to find at least one match for authorization, while queries are there if we want all the possible matches

from biscuit-rust.