I am trying to set up an api key validation in a middleware
First of all: I have no idea if this is a good practice since I never built backend before...
We have a table "users" and one "keys". For API key authorization we created a new route "/auth/connect". This route returns a valid token so third party apps can access the protected routes. The key table has the ability to deactivate a key using a boolean field. There is also a field "expires_at" that holds the date when the key will turn invalid.
What I now need is to verify that the key that belongs to a token used to authorize in Xano is still active. So every time I access a protected route I need to run a check comparing the key_id that is stored in the auth extras and then get the key record, look at the field and see if it is still active. If not, then a precondition is triggered.
I got this to work with a custom function that can be plugged in the API route. However, I'd prefer a more scalable and easy solution. So if I could put this function into a global middleware that runs on all protected routes this would solve my issue.
But for some reason I can not access the auth.extras object from within the middleware (or at least I did not find the option to do that).
Could anyone guide me on how to set this up and give me some general best practice advice for building API key authorization?