Plume/Plume
9
18
Fork 24
Código Incidencias 177 Pull requests 8 Lanzamientos 8 Wiki Actividad

API Authentication #285

Fusionado
elegaanz fusionó 13 commits de api-auth en master 2018-10-30 17:13:50 +00:00
Conversación 0 Commits 13 Archivos modificados 23 +489 -18
elegaanz comentado 2018-10-21 16:28:07 +00:00 (Migrado desde github.com)
Copiar enlace
  • App model
  • API endpoint to register an app
  • ApiToken model
  • OAuth2 endpoint to get a token, from app and user credentials
  • make ApiToken a request guard

Fixes #275

- [x] `App` model - [x] API endpoint to register an app - [x] `ApiToken` model - [x] OAuth2 endpoint to get a token, from app and user credentials - [x] make `ApiToken` a request guard Fixes #275
❤️ 2
trinity-1686a revisó 2018-10-21 18:54:15 +00:00
src/main.rs
trinity-1686a comentado 2018-10-21 18:54:15 +00:00
Propietario
Copiar enlace

I think actually the whole /api can be authorized, if I remember well it's denoted by /api/<path..>

I think actually the whole `/api` can be authorized, if I remember well it's denoted by `/api/<path..>`
igalic (Migrado desde github.com) revisó 2018-10-22 08:35:57 +00:00
igalic (Migrado desde github.com) dejó un comentario
Copiar enlace

👀

👀
plume-models/src/apps.rs
@ -0,0 +1,77 @@
use canapi::{Error, Provider};
igalic (Migrado desde github.com) comentado 2018-10-22 08:31:27 +00:00
Copiar enlace

should i be watching the canapi repo as well?

should i be watching the canapi repo as well?
elegaanz (Migrado desde github.com) revisó 2018-10-22 14:11:30 +00:00
plume-models/src/apps.rs
@ -0,0 +1,77 @@
use canapi::{Error, Provider};
elegaanz (Migrado desde github.com) comentado 2018-10-22 14:11:30 +00:00
Copiar enlace

As you want

As you want
trinity-1686a revisó 2018-10-22 19:55:39 +00:00
trinity-1686a dejó un comentario
Propietario
Copiar enlace

I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like fn read_post( [...] , _authorized: Authorization<Read, Post>) and it would deny request without tests to do by ourself)

I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like `fn read_post( [...] , _authorized: Authorization<Read, Post>)` and it would deny request without tests to do by ourself)
docs/API.md
trinity-1686a comentado 2018-10-22 19:27:41 +00:00
Propietario
Copiar enlace

Just "use apps" is maybe a bit unclear, maybe you should use the full path, and also tell how to use it (Do a post with such data, and such other is optional and....)

token. To do so, use the `/api/v1/apps` API (accessible without a token) to create
Just "use apps" is maybe a bit unclear, maybe you should use the full path, and also tell how to use it (Do a post with such data, and such other is optional and....) ```suggestion token. To do so, use the `/api/v1/apps` API (accessible without a token) to create ```
plume-api/src/apps.rs
trinity-1686a comentado 2018-10-22 19:39:42 +00:00
Propietario
Copiar enlace

name seems to be required by 36297101f2/plume-models/src/apps.rs (L47)
So I think it should not be an Option

name seems to be required by https://github.com/Plume-org/Plume/blob/36297101f261f473fd03d86a22f46379d125e002/plume-models/src/apps.rs#L47 So I think it should not be an Option
plume-api/src/apps.rs
@ -0,0 +1,13 @@
use canapi::Endpoint;
#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
trinity-1686a comentado 2018-10-22 19:39:31 +00:00
Propietario
Copiar enlace

This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that

This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that
src/api/mod.rs
trinity-1686a comentado 2018-10-22 19:47:14 +00:00
Propietario
Copiar enlace

both error message ("Wrong password" and "Unknown user") should probably be merged, for similar reasons as #170

both error message ("Wrong password" and "Unknown user") should probably be merged, for similar reasons as #170
elegaanz (Migrado desde github.com) revisó 2018-10-22 19:57:15 +00:00
docs/API.md
elegaanz (Migrado desde github.com) comentado 2018-10-22 19:57:13 +00:00
Copiar enlace

The request should be documented with Swagger (but it is broken for the moment 😢)

The request should be documented with Swagger (but it is broken for the moment :cry:)
elegaanz (Migrado desde github.com) revisó 2018-10-22 20:01:38 +00:00
plume-api/src/apps.rs
@ -0,0 +1,13 @@
use canapi::Endpoint;
#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
elegaanz (Migrado desde github.com) comentado 2018-10-22 20:01:38 +00:00
Copiar enlace

We can't use FromForm in plume-api, or we would loose all the benefits of canapi.

But I think I may add a Server/Client/Both wrapper type to specify when a field is required and make it easier to check if something has been forgotten.

Or maybe canapi is just a bad idea and we should drop it... 🤔

We can't use `FromForm` in plume-api, or we would loose all the benefits of canapi. But I think I may add a `Server`/`Client`/`Both` wrapper type to specify when a field is required and make it easier to check if something has been forgotten. Or maybe canapi is just a bad idea and we should drop it... :thinking:
elegaanz (Migrado desde github.com) revisó 2018-10-23 11:19:07 +00:00
src/api/authorization.rs
elegaanz (Migrado desde github.com) comentado 2018-10-23 11:19:06 +00:00
Copiar enlace

I don't know if there is a better way to define this type. If I don't use A and S in its definition, it refuses to build.

I don't know if there is a better way to define this type. If I don't use `A` and `S` in its definition, it refuses to build.
elegaanz (Migrado desde github.com) revisó 2018-10-23 11:19:58 +00:00
src/api/authorization.rs
elegaanz (Migrado desde github.com) comentado 2018-10-23 11:19:58 +00:00
Copiar enlace

As you can see, these two Options will actually always be None, never Some(A) or Some(S).

As you can see, these two Options will actually always be None, never Some(A) or Some(S).
trinity-1686a revisó 2018-10-23 19:29:12 +00:00
src/api/authorization.rs
trinity-1686a comentado 2018-10-23 19:29:11 +00:00
Propietario
Copiar enlace

You can use PhantomData https://doc.rust-lang.org/beta/std/marker/struct.PhantomData.html, it'll probably do the trick
Simple example : https://gist.github.com/rust-play/9e51f5b8bb3a915a99d958f5ea982f1a

You can use PhantomData https://doc.rust-lang.org/beta/std/marker/struct.PhantomData.html, it'll probably do the trick Simple example : https://gist.github.com/rust-play/9e51f5b8bb3a915a99d958f5ea982f1a
trinity-1686a revisó 2018-10-27 21:13:02 +00:00
trinity-1686a dejó un comentario
Propietario
Copiar enlace

There are just a few quick things that should be changed or discussed, and this will be good to go

There are just a few quick things that should be changed or discussed, and this will be good to go
plume-models/src/api_tokens.rs
@ -0,0 +56,4 @@
pub fn can_read(&self, scope: &'static str) -> bool {
self.can("read", scope)
}
trinity-1686a comentado 2018-10-27 21:01:25 +00:00
Propietario
Copiar enlace

This is confusing because can take a what set to "read" and a scope set to what. what should probably renamed scope, or something else should be renamed in can

This is confusing because `can` take a `what` set to "read" and a `scope` set to `what`. `what` should probably renamed `scope`, or something else should be renamed in `can`
plume-models/src/api_tokens.rs
@ -0,0 +60,4 @@
pub fn can_write(&self, scope: &'static str) -> bool {
self.can("write", scope)
}
trinity-1686a comentado 2018-10-27 21:01:34 +00:00
Propietario
Copiar enlace

Same goes here (about variable naming)

Same goes here (about variable naming)
src/api/posts.rs
trinity-1686a comentado 2018-10-27 21:11:44 +00:00
Propietario
Copiar enlace

Same here (about access without tokens)

Same here (about access without tokens)
trinity-1686a comentado 2018-10-27 21:11:46 +00:00
Propietario
Copiar enlace

this kind of endpoint can probably be called without tokens, at least as long as the post is published (and require a valid authorization, from a user having access to the post if it's not)

this kind of endpoint can probably be called without tokens, at least as long as the post is published (and require a valid authorization, from a user having access to the post if it's not)
trinity-1686a aprobó estos cambios 2018-10-30 15:44:15 +00:00
Inicie sesión para unirse a esta conversación.
Revisores
No hay revisores
trinity-1686a
Etiquetas
Limpiar etiquetas   
A: API

Related to the REST API

  
A: Backend

Code running on the server

  
A: Federation

Stuff related to Federation

  
A: Front-End

Related to the front-end

  
A: I18N

Translations, and related code

  
A: Meta

More about project management or code than the project itself

  
A: Security

   
Build

The building, or installation process of Plume

  
C: Bug

Something isn't working

  
C: Discussion

We need to talk

  
C: Enhancement

New feature or request

  
C: Feature

This is a new feature

  
Compatibility

Compatibility with different browsers, readers and OS

  
Dependency

Related to an external package that Plume uses

  
Design

UI/UX related issues and PRs

  
Documentation

   
Good first issue

Good for newcomers

  
Help welcome

Extra attention is needed

  
Mobile

Issues affecting only mobile UX

  
Rendering

How elements're rendered out for the end user

  
S: Blocked

Something else needs to be fixed first

  
S: Duplicate

This issue or pull request already exists

  
S: Incomplete

This PR is not complete yet

  
S: Instance specific

Issues concern a limited number of instances

  
S: Invalid

This doesn't seem right

  
S: Needs Voting/Discussion

Need to be discussed by the community (on Loomio)

  
S: Ready for review

This PR is ready to be reviewed

  
Suggestion

Proposed ideas worth considering

  
S: Voted on Loomio

This is issue has been created after a vote on Loomio

  
S: Wontfix

This will not be worked on

Sin etiquetas
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Milestone
Limpiar Milestone
No hay elementos
Sin hito
Proyectos
Limpiar proyectos
No hay elementos
Ningún proyecto
Asignados
Limpiar asignados
Sin encargados
2 participantes
Notificaciones
Fecha límite
La fecha límite es inválida o está fuera de rango. Por favor utiliza el formato "aaaa-mm-dd".

Fecha límite no definida.

Dependencias

No se han establecido dependencias.

Referencia: Plume/Plume#285
No se ha proporcionado una descripción.
Eliminar rama "api-auth "

Eliminar una rama es permanente. Aunque la rama eliminada puede continuar existiendo durante un corto tiempo antes de que sea eliminada, en la mayoría de los casos NO PUEDE deshacerse. ¿Continuar?