Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement API authentication strategy #6

Open
that1guy opened this issue Feb 12, 2015 · 3 comments
Open

Implement API authentication strategy #6

that1guy opened this issue Feb 12, 2015 · 3 comments
Assignees
@brozeph
Labels
enhancement help wanted

Comments

@that1guy
Copy link
Member

Documentation mentions htsApp should pass the poster's username in the payload. i.e.

{
    "heading": "a heading for the posting",
    "body": "body of the posting",
    "expires": "2015/01/31",
    "username": "brozeph"
}

For security purposes should the posting-API validate the user's session cookie and lookup the username on server-side? OR return 'please sign in' if user is logged out?

My original posting API looked like:

exports.savePost = function(req, res){

   //Grab payload out of req.body
    var newPost = req.body;

    //Server validates user is logged in and grabs their username.  Adds to payload.
    newPost.seller_username = req.user.user_settings.name;

   //Use htsPost model and save payload to mongo
   var htsPost = new HTSpost(newPost);
    htsPost.save(function (err) {

        if (err) {
            res.send({success: false, error: err});
        } else {
            res.send({success: true});
        }
    });
}
@brozeph
Copy link
Contributor

brozeph commented Feb 12, 2015

My thinking here was to not add any form of authentication into the API just yet. My gut tells me that our best bet is to start with a bi-directional x509 cert to secure communication between the UI and the API and have the UI manage the appropriate permissions and state for now (i.e. make the API kinda dumb for the time being).

Over time, I think we want to replace this with OAuth... but getting that up and running in the very near term will be challenging (it's not exactly hard, but could take a couple weeks to get it right).

@that1guy
Copy link
Member Author

Understood

On Thursday, February 12, 2015, Joshua Thomas [email protected]
wrote:

My thinking here was to not add any form of authentication into the API
just yet. My gut tells me that our best bet is to start with a
bi-directional x509 cert to secure communication between the UI and the API
and have the UI manage the appropriate permissions and state for now (i.e.
make the API kinda dumb for the time being).

Over time, I think we want to replace this with OAuth... but getting that
up and running in the very near term will be challenging (it's not exactly
hard, but could take a couple weeks to get it right).


Reply to this email directly or view it on GitHub
#6 (comment)
.

@brozeph brozeph changed the title Should API lookup user? Implement API authentication strategy Feb 12, 2015
@that1guy
Copy link
Member Author

perhaps we can link into this user API after Aug 15th launch.

https://github.com/HashtagSell/user-api

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brozeph brozeph

Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brozeph @that1guy