API Authentication
#285
Zusammengeführt
elegaanz
hat 13 Commits von api-auth nach master vor 6 Jahren zusammengeführt
Keine Reviewer
Kein Label
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Kein Meilenstein
Niemand zuständig
2 Beteiligte
Nachrichten
Fällig am
Kein Fälligkeitsdatum gesetzt.
Abhängigkeiten
Keine Abhängigkeiten gesetzt.
Referenz: Plume/Plume#285
Laden…
In neuem Issue referenzieren
Hier gibt es bis jetzt noch keinen Inhalt.
Branch „api-auth“ löschen
Das Löschen eines Branches ist permanent. Es KANN NICHT rückgängig gemacht werden. Fortfahren?
AppmodelApiTokenmodelApiTokena request guardFixes #275
I think actually the whole
/apican be authorized, if I remember well it's denoted by/api/<path..>👀
@ -0,0 +1,77 @@use canapi::{Error, Provider};should i be watching the canapi repo as well?
@ -0,0 +1,77 @@use canapi::{Error, Provider};As you want
I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like
fn read_post( [...] , _authorized: Authorization<Read, Post>)and it would deny request without tests to do by ourself)Just "use apps" is maybe a bit unclear, maybe you should use the full path, and also tell how to use it (Do a post with such data, and such other is optional and....)
name seems to be required by
36297101f2/plume-models/src/apps.rs (L47)So I think it should not be an Option
@ -0,0 +1,13 @@use canapi::Endpoint;#[derive(Clone, Default, Serialize, Deserialize)]pub struct AppEndpoint {This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that
both error message ("Wrong password" and "Unknown user") should probably be merged, for similar reasons as #170
The request should be documented with Swagger (but it is broken for the moment 😢)
@ -0,0 +1,13 @@use canapi::Endpoint;#[derive(Clone, Default, Serialize, Deserialize)]pub struct AppEndpoint {We can't use
FromFormin plume-api, or we would loose all the benefits of canapi.But I think I may add a
Server/Client/Bothwrapper type to specify when a field is required and make it easier to check if something has been forgotten.Or maybe canapi is just a bad idea and we should drop it... 🤔
I don't know if there is a better way to define this type. If I don't use
AandSin its definition, it refuses to build.As you can see, these two Options will actually always be None, never Some(A) or Some(S).
You can use PhantomData https://doc.rust-lang.org/beta/std/marker/struct.PhantomData.html, it'll probably do the trick
Simple example : https://gist.github.com/rust-play/9e51f5b8bb3a915a99d958f5ea982f1a
There are just a few quick things that should be changed or discussed, and this will be good to go
@ -0,0 +56,4 @@pub fn can_read(&self, scope: &'static str) -> bool {self.can("read", scope)}This is confusing because
cantake awhatset to "read" and ascopeset towhat.whatshould probably renamedscope, or something else should be renamed incan@ -0,0 +60,4 @@pub fn can_write(&self, scope: &'static str) -> bool {self.can("write", scope)}Same goes here (about variable naming)
Same here (about access without tokens)
this kind of endpoint can probably be called without tokens, at least as long as the post is published (and require a valid authorization, from a user having access to the post if it's not)
Reviewer
e26a150164gemergt.Schritt 1:
Wechsle auf einen neuen Branch in deinem lokalen Repository und teste die Änderungen.Schritt 2:
Führe die Änderungen zusammen und aktualisiere den Stand online auf Forgejo.