Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update API docs & deprecate some older ones #1360

Merged
merged 6 commits into from
Oct 4, 2022
Merged

Update API docs & deprecate some older ones #1360

merged 6 commits into from
Oct 4, 2022

Commits on Oct 4, 2022

  1. docs/api-description.json: Emphasize Cookie auth 

    Increases API version to 4.0.1.

`GET /login` and passing credentials in query string is now officially deprecated.
    @jtojnar
    jtojnar committed Oct 4, 2022
    Configuration menu
    Copy the full SHA
    631f30b View commit details
    Browse the repository at this point in the history

  2. api: replace GET /logout with DELETE /api/session/current 

    and deprecate the former.

Increases API version to 4.1.0.

Using `GET` method could, in theory, allow a limited DOS attack.
While selfoss should absolutize all relative image `src` attributes when fetching a source, there may be bugs.
Or less likely, a malicious feed could guess the domain and use the absolute URL of `/logout`.
Or if user runs another app in the same context, it could be similarly hijacked.
All those should probably be resolved by other means (e.g. CORS headers) but I doubt anyone will target selfoss users in this way just to annoy them.

`DELETE` method is as close to REST as we can get with session state.
See also the discussion on https://stackoverflow.com/questions/3521290/logout-get-or-post

Also fix the API docs which incorrectly claimed the `/logout` works over `POST`.
    @jtojnar
    jtojnar committed Oct 4, 2022
    Configuration menu
    Copy the full SHA
    a8b820e View commit details
    Browse the repository at this point in the history

  3. api: Deprecate POST /source/delete/:id 

    It was actually introduced after `DELETE /source/:id`:

2050272
    @jtojnar
    jtojnar committed Oct 4, 2022
    Configuration menu
    Copy the full SHA
    5152d5d View commit details
    Browse the repository at this point in the history

  4. api/update: Return 403 Forbidden on unallowed 

    Make the error code explicit.

This is undocumented API but we are still raising API version since apps might have been relying on `200 OK` status code for unallowed access.
    @jtojnar
    jtojnar committed Oct 4, 2022
    Configuration menu
    Copy the full SHA
    d1b04af View commit details
    Browse the repository at this point in the history

  5. client: Fix MessageFormat string placeholders

    @jtojnar
    jtojnar committed Oct 4, 2022
    Configuration menu
    Copy the full SHA
    7a0aff6 View commit details
    Browse the repository at this point in the history

  6. client: Distinguish login failure from server error 

    The 403 or 500 HTTP errors have nothing to do with selfoss credentials so we should show a different error.
While at it, move the error detection to the request function and remove redundant redirect.
    @jtojnar
    jtojnar committed Oct 4, 2022
    Configuration menu
    Copy the full SHA
    b61c6a2 View commit details
    Browse the repository at this point in the history