vapor-docs/auth/request.md

---
currentMenu: auth-request
---

# Request

The `auth` property on `Request` let's you authenticate users and also provides some convenience methods for accessing common authorization headers.

## Authorization

The authorization header is a great place to send credentials from a client. 

```
Authorization: xxxxxxxxxx
```

You can access the authorization header through `req.auth.header`. Two common patterns are basic and bearer.

### Basic

Basic authorization consists of a username and password concatenated into a string and base64 encoded.

```
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
```

This is what an example header looks like. You can read more about basic auth on [wikipedia](https://en.wikipedia.org/wiki/Basic_access_authentication).

Below is how you access this header using `req.auth`.

```swift
guard let credentials = req.auth.header?.basic else {
    throw Abort.badRequest
}
```

The basic header returns an `APIKey` credential.

```
class APIKey: Credentials {
	let id: String
	let secret: String
}
```

### Bearer

Another common method is bearer which consists of a single API key.

```
Authorization: Bearer apikey123
```

It is accessed similarly to the basic header and returns an `AccessToken` credential.

```
class AccessToken: Credentials {
	let string: String
}
```

### Raw

To access the raw authorization header, use `req.auth.header?.header`.

## Credentials

Both Basic and Bearer return something that conforms to `Credentials`. You can always create a custom `Credentials` object for authentication by conforming your own class to `Credentials` or by manually creating an `APIKey`, `AccessToken`, or `Identifier`.

```swift
let key = AccessToken(string: "apikey123")
```

### Input

You can also create credentials from form or JSON data.

```swift
guard 
	let username = req.data["username"]?.string,
	let password = req.data["password"]?.string
else {
	throw Abort.badRequest
}

let key = APIKey(id: username, secret: password)
```

## Login

Once you have some object that conforms to `Credentials`, you can try to login the user.

```swift
try req.auth.login(credentials)
```

If this call succeeds, the user is logged in and a session has been started. They will stay logged in as long as their cookie is valid.

### Authenticate

Logging in calls the `authenticate` method on `Auth.User` model you supplied to the `AuthMiddleware`. Make sure you add support for all the credential types you may want to use.

> Note: If you used a custom Realm, it will be called instead.

### Identifier

Another important credential type is the `Identifier` type. This is used by Vapor when fetching the `User` object from the `vapor-auth` cookie. It is also a convenient way to log a user in manually.

```swift
static func authenticate(credentials: Credentials) throws -> Auth.User {
	switch credentials {
	...
	case let id as Identifier:
		guard let user = try User.find(id.id) else {
			throw Abort.custom(status: .badRequest, message: "Invalid identifier.")
		}

		return user
	...
	}
}
```

Adding the `Identifier` case for `Credentials` is easy, just look up the user by the identifier.

```swift
let id = Identifier(id: 42)
try req.auth.login(id)
```

Now you can manually log users in with just their identifiers.

### Ephemeral

If you just want to log the user in for a single request, disable persistance. 

```swift
req.auth.login(credentials, persist: false)
```

> Note: Supporting `Identifier` credentials is required for persisted authentication to work properly.

## User

By default, `request.auth.user()` returns the authorized `Auth.User`. This will need to be casted to your internal `User` type for use.

Adding a convenience method on `Request` is a great way to simplify this.

```swift
extension Request {
    func user() throws -> User {
        guard let user = try auth.user() as? User else {
            throw Abort.custom(status: .badRequest, message: "Invalid user type.")
        }

        return user
    }
}
```

Now you can access your `User` type with `try req.user()`.