bz REST API#9
Conversation
ghost
added
|
Hmmm ... I am not a specialist, but wouldn't asking the user to provide account name / password exclude other kinds of OAuth-based authentication methods? |
|
Not really, this could be added later: see for example this. |
| @@ -0,0 +1,159 @@ | |||
| # RSP - 1 — *bz* REST API | |||
|
|
|||
There was a problem hiding this comment.
I think you should mention that everything should be prefixed by something like /api/v1/bz. If you agree to this convention (obviously). Note that @Vaelden added this to the top of his RSP regarding the lycan API.
|
It feels like something is missing from this specification: how exactly do you handle authentication? Do you just have a parameter for each request, something like |
| 200 | Success | ||
| 400 | Error in request body | ||
| 403 | This account is already connected | ||
| 404 | No account for the given url |
There was a problem hiding this comment.
Returning a different error code when an account does not exists and when an account exists but the password is incorrect leaks some information that an attacker could use to first find a correct account name, and then do password attacks on it. I would prefer if we just have an error code for "username or password incorrect". Github uses 401 Unauthorized for this purpose.
|
I hope I will have time this weekend to address these remarks and update both the RSP and the implementation. |
2 participants
No description provided.