You can use the magic of XQuery closures to only write that if once as here in the role-check function:

(:~
: return all users as json if this session is for admin
:)
declare
%rest:GET %rest:path("cellar/api/users") 
%output:method("json")
function users() {
   web:role-check("admin",function(){
       <json arrays="json" objects="user">
              {for $u in db:open('cellar',"users.xml")/users/user
              return <user>
                  <id>{$u/@id/fn:string()}</id>
                  <name>{$u/@name/fn:string()}</name>
                  </user>}
        </json>}  
)};

(:~
: execute function fn if session has logged in user with matching role, else 401
:)
declare function role-check($role as xs:string,$fn){
  let $uid:=session:get("uid")
  return if($uid) and ..checkrole here... then
        $fn()
         else http-auth("Whizz apb auth",())
};

(:~
: REST created http://restpatterns.org/HTTP_Status_Codes/401_-_Unauthorized
:)
declare function http-auth($auth-scheme,$response){
   (
   <rest:response>           
       <http:response status="401" >
           <http:header name="WWW-Authenticate" value="{$auth-scheme}"/>
       </http:response>
   </rest:response>,
   $response
   )
};

Looks a lot like node.js ;-)
/Andy

On Thu, Nov 15, 2012 at 1:37 PM, Christian Grün <christian.gruen@gmail.com> wrote:
Hi Daniel,

you may be interested to hear that we already has some first thoughts
on extending the RESTXQ API with an authentication module. As you
indicated, those "if" constructs are the current way to go. While it
works fine in practice, I agree it’s not the way it should be. The
reasons why we didn’t choose a solution yet is that..

-- we didn’t have enough time to put more focus on that issue

-- we didn’t want to restrict ourselves to the uses cases we’re
currently aware of

Maybe we should start off with a little spec describing what the %auth
annotations should look like, where the authentication functionality
will be located, and how we can ensure that also protocols like OAuth
can be supported. As soon as we have specified the basics, the
implementation shouldn’t cause too much headache. If you have some
concrete ideas, your input is more than welcome!

In the end, I’d like to get the enhancement into the work-in-progress
RESTXQ draft (the exquery GitHub issue tracker is probably the best
platform to discuss such extensions and propose extensions [1]). This
is why I cc'ed this mail to Adam Retter..

Christian

[1] https://github.com/exquery/exquery/issues
___________________________

On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička
<daniel.kvasnicka@me.com> wrote:
> Hi folks,
>
> I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later).
> My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin")
> I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way...
> Or should I equal app users to BaseX users and leverage Basex auth?
>
> Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
>
> Daniel
>
> --
> danielkvasnicka.net
>
> _______________________________________________
> BaseX-Talk mailing list
> BaseX-Talk@mailman.uni-konstanz.de
> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
_______________________________________________
BaseX-Talk mailing list
BaseX-Talk@mailman.uni-konstanz.de
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk