Description
Suggestion
It would appear that today if some middleware logic wishes to send a redirect response, the controller must be aware of that and handle the redirection on behalf of the middleware. This seems a bit incoherent, as the controller is generally concerned with managing the resource defined by the REST endpoint, and not the needs of the middleware.
Use Cases
Authentication. See this example. Why do I need special controller logic for loginToThirdParty there? If the middleware abstraction weren't leaking, I'd expect that I could just decorate any endpoint method of my controller with @authenticate(STRATEGY_NAME) and if the strategy requires redirection (e.g. OIDC), the user should be redirected to login/grant access, then redirected back to the endpoint in question. If I want to enable this behaviour today it would appear that I need this redirection logic for every single protected controller function that I write.
Examples
One way to achieve this would be to follow the pattern that AuthenticationActionProvider uses here, but instead of writing to setters that are bound to a binding specific to the Authentication namespace, write to some more generic binding that can be picked up and handled before the controller is ever called, subverting the need to call the controller entirely.
Another way might be to inspect the return value of the middleware. If it returns a RedirectRoute, redirect instead of calling the controller. I find this to be a cleaner option than injecting setters, but I can imagine this being more difficult to implement. As an aside, it'd be nice if controllers could do this as well, rather than requiring the Response object to be injected.
Acceptance criteria
TBD - will be filled by the team.