Currently the API doesn't require authentication. It is not a real problem yet, as the two routes we implemented are read-only, but for routes that will add/change user content, request should be authenticated.
Here is how I see it (tell me if you think something is wrong with this design, I'm not used REST APIs):
- There is an endpoint in the API for apps to register themselves, it returns a client ID, a client secret
- there is another endpoint to get an access token, that requires the client ID, secret and users credentials
- this token should be sent in the
Authorizationheader for authenticated API requests
- Users can revoke any token from Plume
Plume version (and/or commit): 0.2.0
APIs usually use OAuth authentication. I don't know if there are any crates for it (I saw lots of client-side, but not that much servers-side implementation on crate.io), but I think the best way is probably to use that as it's standard
Deleting a branch is permanent. It CANNOT be undone. Continue?