Wrapping a serverless function in `useRequireAuth` still allows you to execute the function without being authenticated

We had a user on Discord who was wrapping his serverless function in useRequireAuth, but could still execute the function without any auth headers set. He was expecting that useRequireAuth would block any unauthenticated invocations. Which is totally understandable, as the documentation isn’t really clear here.

What useRequireAuth really does though, is it make all the other auth related functions available. Maybe it should really be called makeAuthAvailable()? Or withAuthAvailable() to copy React HOC naming conventions.

What you really need to do to block execution is

const myHandler = async (_event: APIGatewayEvent, _context: Context) => {
  requireAuth({ roles: 'admin' })

  return {
    statusCode: 200,
  }
}

export const handler = useRequireAuth({ handlerFn: myHandler, getCurrentUser })

So, wrap the handler in useRequireAuth() and then call requireAuth() first thing in your handler.

I do think the current implementation is the right one. We could block execution in useRequireAuth, but doing the current way is much more flexible. For example it allows the developer to have two execution paths through the handler - one for authenticated users and one for unauthenticated users.

@dthyresson Do you think we should just update the docs, or should we rename something? Or both? Or something else entirely?