Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update API docs & deprecate some older ones #1360

Merged
merged 6 commits into from
Oct 4, 2022
Merged

Update API docs & deprecate some older ones #1360

merged 6 commits into from
Oct 4, 2022

Conversation

jtojnar
Copy link
Member

@jtojnar jtojnar commented Sep 30, 2022
edited
Loading

  • Emphasize Cookie auth in docs
  • Replace GET /logout with DELETE /api/session/current
  • Deprecate POST /source/delete/:id
  • Make POST /source/update and POST /source/:id/update return 403 on authorization failure (cc @davidoskky for /update specs #1357)

cc @aminecmi

@jtojnar jtojnar force-pushed the api-docs branch 3 times, most recently from 73232b7 to 3ba91ae Compare October 4, 2022 13:30
@jtojnar
docs/api-description.json: Emphasize Cookie auth
631f30b 
Increases API version to 4.0.1.

`GET /login` and passing credentials in query string is now officially deprecated.
@jtojnar
api: replace GET /logout with DELETE /api/session/current
a8b820e 
and deprecate the former.

Increases API version to 4.1.0.

Using `GET` method could, in theory, allow a limited DOS attack.
While selfoss should absolutize all relative image `src` attributes when fetching a source, there may be bugs.
Or less likely, a malicious feed could guess the domain and use the absolute URL of `/logout`.
Or if user runs another app in the same context, it could be similarly hijacked.
All those should probably be resolved by other means (e.g. CORS headers) but I doubt anyone will target selfoss users in this way just to annoy them.

`DELETE` method is as close to REST as we can get with session state.
See also the discussion on https://stackoverflow.com/questions/3521290/logout-get-or-post

Also fix the API docs which incorrectly claimed the `/logout` works over `POST`.
@jtojnar
api: Deprecate POST /source/delete/:id
5152d5d 
It was actually introduced after `DELETE /source/:id`:

2050272
@jtojnar
api/update: Return 403 Forbidden on unallowed
d1b04af 
Make the error code explicit.

This is undocumented API but we are still raising API version since apps might have been relying on `200 OK` status code for unallowed access.
@jtojnar
client: Fix MessageFormat string placeholders
7a0aff6
@jtojnar
client: Distinguish login failure from server error
b61c6a2 
The 403 or 500 HTTP errors have nothing to do with selfoss credentials so we should show a different error.
While at it, move the error detection to the request function and remove redundant redirect.
@jtojnar jtojnar merged commit b61c6a2 into master Oct 4, 2022
@jtojnar jtojnar deleted the api-docs branch October 4, 2022 13:53
@jtojnar jtojnar added this to the 2.19 milestone Oct 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidoskky davidoskky davidoskky left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.19
Development

Successfully merging this pull request may close these issues.
2 participants
@jtojnar @davidoskky