API Authentication #285

Fusionnée
elegaanz a fusionné 13 révision(s) à partir de api-auth vers master il y a 5 ans
elegaanz a commenté il y a 6 ans (Migré de github.com)
  • App model
  • API endpoint to register an app
  • ApiToken model
  • OAuth2 endpoint to get a token, from app and user credentials
  • make ApiToken a request guard

Fixes #275

- [x] `App` model - [x] API endpoint to register an app - [x] `ApiToken` model - [x] OAuth2 endpoint to get a token, from app and user credentials - [x] make `ApiToken` a request guard Fixes #275
trinity-1686a révisé il y a 6 ans
Propriétaire

I think actually the whole /api can be authorized, if I remember well it's denoted by /api/<path..>

I think actually the whole `/api` can be authorized, if I remember well it's denoted by `/api/<path..>`
igalic (Migré de github.com) révisé il y a 6 ans
igalic (Migré de github.com) laisser un commentaire

👀

👀
@ -0,0 +1,77 @@
use canapi::{Error, Provider};
igalic (Migré de github.com) a commenté il y a 6 ans

should i be watching the canapi repo as well?

should i be watching the canapi repo as well?
elegaanz (Migré de github.com) révisé il y a 6 ans
@ -0,0 +1,77 @@
use canapi::{Error, Provider};
elegaanz (Migré de github.com) a commenté il y a 6 ans

As you want

As you want
trinity-1686a révisé il y a 6 ans
trinity-1686a laisser un commentaire
Propriétaire

I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like fn read_post( [...] , _authorized: Authorization<Read, Post>) and it would deny request without tests to do by ourself)

I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like `fn read_post( [...] , _authorized: Authorization<Read, Post>)` and it would deny request without tests to do by ourself)
Propriétaire

Just "use apps" is maybe a bit unclear, maybe you should use the full path, and also tell how to use it (Do a post with such data, and such other is optional and....)

token. To do so, use the `/api/v1/apps` API (accessible without a token) to create
Just "use apps" is maybe a bit unclear, maybe you should use the full path, and also tell how to use it (Do a post with such data, and such other is optional and....) ```suggestion token. To do so, use the `/api/v1/apps` API (accessible without a token) to create ```
Propriétaire

name seems to be required by 36297101f2/plume-models/src/apps.rs (L47)
So I think it should not be an Option

name seems to be required by https://github.com/Plume-org/Plume/blob/36297101f261f473fd03d86a22f46379d125e002/plume-models/src/apps.rs#L47 So I think it should not be an Option
@ -0,0 +1,13 @@
use canapi::Endpoint;
#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
Propriétaire

This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that

This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that
Propriétaire

both error message ("Wrong password" and "Unknown user") should probably be merged, for similar reasons as #170

both error message ("Wrong password" and "Unknown user") should probably be merged, for similar reasons as #170
elegaanz (Migré de github.com) révisé il y a 6 ans
elegaanz (Migré de github.com) a commenté il y a 6 ans

The request should be documented with Swagger (but it is broken for the moment 😢)

The request should be documented with Swagger (but it is broken for the moment :cry:)
elegaanz (Migré de github.com) révisé il y a 6 ans
@ -0,0 +1,13 @@
use canapi::Endpoint;
#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
elegaanz (Migré de github.com) a commenté il y a 6 ans

We can't use FromForm in plume-api, or we would loose all the benefits of canapi.

But I think I may add a Server/Client/Both wrapper type to specify when a field is required and make it easier to check if something has been forgotten.

Or maybe canapi is just a bad idea and we should drop it... 🤔

We can't use `FromForm` in plume-api, or we would loose all the benefits of canapi. But I think I may add a `Server`/`Client`/`Both` wrapper type to specify when a field is required and make it easier to check if something has been forgotten. Or maybe canapi is just a bad idea and we should drop it... :thinking:
elegaanz (Migré de github.com) révisé il y a 6 ans
elegaanz (Migré de github.com) a commenté il y a 6 ans

I don't know if there is a better way to define this type. If I don't use A and S in its definition, it refuses to build.

I don't know if there is a better way to define this type. If I don't use `A` and `S` in its definition, it refuses to build.
elegaanz (Migré de github.com) révisé il y a 6 ans
elegaanz (Migré de github.com) a commenté il y a 6 ans

As you can see, these two Options will actually always be None, never Some(A) or Some(S).

As you can see, these two Options will actually always be None, never Some(A) or Some(S).
trinity-1686a révisé il y a 6 ans
Propriétaire
You can use PhantomData https://doc.rust-lang.org/beta/std/marker/struct.PhantomData.html, it'll probably do the trick Simple example : https://gist.github.com/rust-play/9e51f5b8bb3a915a99d958f5ea982f1a
trinity-1686a révisé il y a 5 ans
trinity-1686a laisser un commentaire
Propriétaire

There are just a few quick things that should be changed or discussed, and this will be good to go

There are just a few quick things that should be changed or discussed, and this will be good to go
@ -0,0 +56,4 @@
pub fn can_read(&self, scope: &'static str) -> bool {
self.can("read", scope)
}
Propriétaire

This is confusing because can take a what set to "read" and a scope set to what. what should probably renamed scope, or something else should be renamed in can

This is confusing because `can` take a `what` set to "read" and a `scope` set to `what`. `what` should probably renamed `scope`, or something else should be renamed in `can`
@ -0,0 +60,4 @@
pub fn can_write(&self, scope: &'static str) -> bool {
self.can("write", scope)
}
Propriétaire

Same goes here (about variable naming)

Same goes here (about variable naming)
Propriétaire

Same here (about access without tokens)

Same here (about access without tokens)
Propriétaire

this kind of endpoint can probably be called without tokens, at least as long as the post is published (and require a valid authorization, from a user having access to the post if it's not)

this kind of endpoint can probably be called without tokens, at least as long as the post is published (and require a valid authorization, from a user having access to the post if it's not)
trinity-1686a ces changements ont été approuvés il y a 5 ans

Relecteurs

trinity-1686a ces changements ont été approuvés il y a 5 ans
La demande d'ajout a été fusionnée en e26a150164.
Vous pouvez également voir les instructions en ligne de commande.

Étape 1:

Depuis le dépôt de votre projet, sélectionnez une nouvelle branche et testez les modifications.
git checkout -b api-auth master
git pull origin api-auth

Étape 2:

Fusionner les modifications et mettre à jour sur Forgejo.
git checkout master
git merge --no-ff api-auth
git push origin master
Connectez-vous pour rejoindre cette conversation.
Aucune évaluation
Aucun jalon
Pas d'assignataires
2 participants
Notifications
Échéance
La date d’échéance est invalide ou hors plage. Veuillez utiliser le format 'aaaa-mm-dd'.

Aucune échéance n'a été définie.

Dépendances

No dependencies set.

Reference: Plume/Plume#285
Chargement…
Il n'existe pas encore de contenu.