API authentication #275

Closed
by elegaanz opened 3 years ago · 1 comments
elegaanz commented 3 years ago (Migrated from github.com)
Owner

Currently the API doesn't require authentication. It is not a real problem yet, as the two routes we implemented are read-only, but for routes that will add/change user content, request should be authenticated.

Here is how I see it (tell me if you think something is wrong with this design, I'm not used REST APIs):

  • There is an endpoint in the API for apps to register themselves, it returns a client ID, a client secret
  • there is another endpoint to get an access token, that requires the client ID, secret and users credentials
  • this token should be sent in the Authorization header for authenticated API requests
  • Users can revoke any token from Plume

Plume version (and/or commit): 0.2.0

Currently the API doesn't require authentication. It is not a real problem yet, as the two routes we implemented are read-only, but for routes that will add/change user content, request should be authenticated. Here is how I see it (tell me if you think something is wrong with this design, I'm not used REST APIs): - There is an endpoint in the API for apps to register themselves, it returns a client ID, a client secret - there is another endpoint to get an access token, that requires the client ID, secret and users credentials - this token should be sent in the `Authorization` header for authenticated API requests - Users can revoke any token from Plume Plume version (and/or commit): 0.2.0

APIs usually use OAuth authentication. I don't know if there are any crates for it (I saw lots of client-side, but not that much servers-side implementation on crate.io), but I think the best way is probably to use that as it's standard

APIs usually use OAuth authentication. I don't know if there are any crates for it (I saw lots of client-side, but not that much servers-side implementation on crate.io), but I think the best way is probably to use that as it's standard
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.