API Authentication
#285
Fusionnée
elegaanz
a fusionné 13 révision(s) à partir de api-auth
vers master
il y a 5 ans
Relecteurs
Demander une revue
Aucune évaluation
Étiquettes
Effacer les étiquettes
Related to the REST API
Code running on the server
Stuff related to Federation
Related to the front-end
Translations, and related code
More about project management or code than the project itself
The building, or installation process of Plume
Something isn't working
We need to talk
New feature or request
This is a new feature
Compatibility with different browsers, readers and OS
Related to an external package that Plume uses
UI/UX related issues and PRs
Good for newcomers
Extra attention is needed
Issues affecting only mobile UX
How elements're rendered out for the end user
Something else needs to be fixed first
This issue or pull request already exists
This PR is not complete yet
Issues concern a limited number of instances
This doesn't seem right
Need to be discussed by the community (on Loomio)
This PR is ready to be reviewed
Proposed ideas worth considering
This is issue has been created after a vote on Loomio
This will not be worked on
Appliquer une étiquette
A: API
Related to the REST API
A: Backend
Code running on the server
A: Federation
Stuff related to Federation
A: Front-End
Related to the front-end
A: I18N
Translations, and related code
A: Meta
More about project management or code than the project itself
A: Security
Build
The building, or installation process of Plume
C: Bug
Something isn't working
C: Discussion
We need to talk
C: Enhancement
New feature or request
C: Feature
This is a new feature
Compatibility
Compatibility with different browsers, readers and OS
Dependency
Related to an external package that Plume uses
Design
UI/UX related issues and PRs
Documentation
Good first issue
Good for newcomers
Help welcome
Extra attention is needed
Mobile
Issues affecting only mobile UX
Rendering
How elements're rendered out for the end user
S: Blocked
Something else needs to be fixed first
S: Duplicate
This issue or pull request already exists
S: Incomplete
This PR is not complete yet
S: Instance specific
Issues concern a limited number of instances
S: Invalid
This doesn't seem right
S: Needs Voting/Discussion
Need to be discussed by the community (on Loomio)
S: Ready for review
This PR is ready to be reviewed
Suggestion
Proposed ideas worth considering
S: Voted on Loomio
This is issue has been created after a vote on Loomio
S: Wontfix
This will not be worked on
Pas d'étiquette
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Jalon
Affecter un jalon
Effacer le jalon
Pas d'élément
Aucun jalon
Affecté à
Assigner des utilisateurs
Supprimer les affectations
Pas d'assignataires
2 participants
Notifications
Échéance
La date d’échéance est invalide ou hors plage. Veuillez utiliser le format 'aaaa-mm-dd'.
Aucune échéance n'a été définie.
Dépendances
No dependencies set.
Reference: Plume/Plume#285
Référencer dans un nouveau ticket
Il n'existe pas encore de contenu.
Supprimer la branche 'api-auth'
Supprimer une branche est permanent. Cela NE PEUVENT être annulées. Continuer ?
Non
Oui
App
modelApiToken
modelApiToken
a request guardFixes #275
I think actually the whole
/api
can be authorized, if I remember well it's denoted by/api/<path..>
👀
@ -0,0 +1,77 @@
use canapi::{Error, Provider};
should i be watching the canapi repo as well?
@ -0,0 +1,77 @@
use canapi::{Error, Provider};
As you want
I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like
fn read_post( [...] , _authorized: Authorization<Read, Post>)
and it would deny request without tests to do by ourself)Just "use apps" is maybe a bit unclear, maybe you should use the full path, and also tell how to use it (Do a post with such data, and such other is optional and....)
name seems to be required by
36297101f2/plume-models/src/apps.rs (L47)
So I think it should not be an Option
@ -0,0 +1,13 @@
use canapi::Endpoint;
#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that
both error message ("Wrong password" and "Unknown user") should probably be merged, for similar reasons as #170
The request should be documented with Swagger (but it is broken for the moment 😢)
@ -0,0 +1,13 @@
use canapi::Endpoint;
#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
We can't use
FromForm
in plume-api, or we would loose all the benefits of canapi.But I think I may add a
Server
/Client
/Both
wrapper type to specify when a field is required and make it easier to check if something has been forgotten.Or maybe canapi is just a bad idea and we should drop it... 🤔
I don't know if there is a better way to define this type. If I don't use
A
andS
in its definition, it refuses to build.As you can see, these two Options will actually always be None, never Some(A) or Some(S).
You can use PhantomData https://doc.rust-lang.org/beta/std/marker/struct.PhantomData.html, it'll probably do the trick
Simple example : https://gist.github.com/rust-play/9e51f5b8bb3a915a99d958f5ea982f1a
There are just a few quick things that should be changed or discussed, and this will be good to go
@ -0,0 +56,4 @@
pub fn can_read(&self, scope: &'static str) -> bool {
self.can("read", scope)
}
This is confusing because
can
take awhat
set to "read" and ascope
set towhat
.what
should probably renamedscope
, or something else should be renamed incan
@ -0,0 +60,4 @@
pub fn can_write(&self, scope: &'static str) -> bool {
self.can("write", scope)
}
Same goes here (about variable naming)
Same here (about access without tokens)
this kind of endpoint can probably be called without tokens, at least as long as the post is published (and require a valid authorization, from a user having access to the post if it's not)
Relecteurs
e26a150164
.Étape 1:
Depuis le dépôt de votre projet, sélectionnez une nouvelle branche et testez les modifications.Étape 2:
Fusionner les modifications et mettre à jour sur Forgejo.