Skip to content

bz REST API #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ghost wants to merge 1 commit into
base: master
Choose a base branch
from
Open

bz REST API #9

ghost wants to merge 1 commit into from

Conversation

@ghost
Copy link

@ghost ghost commented Jan 19, 2016

No description provided.

@ghost
Copy link
Author

ghost commented Jan 27, 2016

Hmmm ... I am not a specialist, but wouldn't asking the user to provide account name / password exclude other kinds of OAuth-based authentication methods?

@Nemikolh
Copy link
Contributor

Nemikolh commented Jan 27, 2016

Not really, this could be added later: see for example this.
This is one of the nice things with passportjs. 😃

Nemikolh
Nemikolh reviewed Mar 23, 2016
View reviewed changes
rsp/00x_bz_rest_api.md
@@ -0,0 +1,159 @@
# RSP - 1 — *bz* REST API

Copy link
Contributor

@Nemikolh Nemikolh Mar 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should mention that everything should be prefixed by something like /api/v1/bz. If you agree to this convention (obviously). Note that @Vaelden added this to the top of his RSP regarding the lycan API.

@ghost
Copy link
Author

ghost commented Mar 29, 2016

It feels like something is missing from this specification: how exactly do you handle authentication?

Do you just have a parameter for each request, something like ?private_token=fa56974353e967b1db93c116df4872a15cbecb9b? In that case, shouldn't it be returned in the POST /login request?

ghost
ghost reviewed May 26, 2016
View reviewed changes
rsp/00x_bz_rest_api.md
200 | Success
400 | Error in request body
403 | This account is already connected
404 | No account for the given url
Copy link

@ghost ghost May 26, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Returning a different error code when an account does not exists and when an account exists but the password is incorrect leaks some information that an attacker could use to first find a correct account name, and then do password attacks on it. I would prefer if we just have an error code for "username or password incorrect". Github uses 401 Unauthorized for this purpose.

@lthms
Copy link

lthms commented May 27, 2016

I hope I will have time this weekend to address these remarks and update both the RSP and the implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

discussion rsp

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nemikolh @lthms