Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Authentication #285

Merged
merged 13 commits into from
Oct 30, 2018
Merged

API Authentication #285

merged 13 commits into from
Oct 30, 2018

Conversation

elegaanz
Copy link
Member

@elegaanz elegaanz commented Oct 21, 2018
edited
Loading

  • App model
  • API endpoint to register an app
  • ApiToken model
  • OAuth2 endpoint to get a token, from app and user credentials
  • make ApiToken a request guard

Fixes #275

@elegaanz elegaanz added A: API Related to the REST API C: Feature This is a new feature S: Incomplete This PR is not complete yet A: Security A: Backend Code running on the server labels Oct 21, 2018
trinity-1686a
trinity-1686a reviewed Oct 21, 2018
View reviewed changes
src/main.rs Outdated Show resolved Hide resolved
igalic
igalic reviewed Oct 22, 2018
View reviewed changes
Copy link
Contributor

@igalic igalic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👀

plume-models/src/apps.rs Show resolved Hide resolved
@elegaanz elegaanz added S: Ready for review This PR is ready to be reviewed and removed S: Incomplete This PR is not complete yet labels Oct 22, 2018
trinity-1686a
trinity-1686a reviewed Oct 22, 2018
View reviewed changes
Copy link
Contributor

@trinity-1686a trinity-1686a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it could help with readability to have a special type with some parameters, doing by itself something similar to ApiToken.can(), and which could be used as a request guard (so we could do something like fn read_post( [...] , _authorized: Authorization<Read, Post>) and it would deny request without tests to do by ourself)

docs/API.md Outdated Show resolved Hide resolved
plume-api/src/apps.rs
use canapi::Endpoint;

#[derive(Clone, Default, Serialize, Deserialize)]
pub struct AppEndpoint {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feel strange to be at the same time data received from Post (with id, client_id and client_secret ignored, as they must be generated by the server) and data returned by the api (with those same field used, and most likely different than what was originally posted if they where). It should either be 2 different struct or at least a struct with FromForm custom-implemented to ensure that

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't use FromForm in plume-api, or we would loose all the benefits of canapi.

But I think I may add a Server/Client/Both wrapper type to specify when a field is required and make it easier to check if something has been forgotten.

Or maybe canapi is just a bad idea and we should drop it... 🤔

plume-api/src/apps.rs Outdated Show resolved Hide resolved
src/api/mod.rs Outdated Show resolved Hide resolved
elegaanz
elegaanz commented Oct 23, 2018
View reviewed changes
src/api/authorization.rs Outdated Show resolved Hide resolved
elegaanz
elegaanz commented Oct 23, 2018
View reviewed changes
src/api/authorization.rs Outdated Show resolved Hide resolved
@elegaanz elegaanz force-pushed the api-auth branch 2 times, most recently from beb3d86 to 49e0605 Compare October 25, 2018 09:44
@elegaanz
Use PhantomData intead of two Options useless for Authorization
1a2ad8d 
And remove some warnings about unused parameters
trinity-1686a
trinity-1686a reviewed Oct 27, 2018
View reviewed changes
Copy link
Contributor

@trinity-1686a trinity-1686a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are just a few quick things that should be changed or discussed, and this will be good to go

plume-models/src/api_tokens.rs Show resolved Hide resolved
plume-models/src/api_tokens.rs Show resolved Hide resolved
src/api/posts.rs Outdated Show resolved Hide resolved
src/api/posts.rs Outdated Show resolved Hide resolved
@elegaanz
Make Authorization optional for read routes
0006bdf 
Only require it when reading draft articles.
@elegaanz elegaanz merged commit e26a150 into master Oct 30, 2018
@elegaanz elegaanz deleted the api-auth branch October 30, 2018 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igalic igalic igalic left review comments

@trinity-1686a trinity-1686a trinity-1686a approved these changes

Assignees
No one assigned
Labels
A: API Related to the REST API A: Backend Code running on the server A: Security C: Feature This is a new feature S: Ready for review This PR is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@elegaanz @igalic @trinity-1686a