Implement JWT authentication in REST API #1785
Conversation
✅ Deploy Preview for specter-desktop-docs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
ankur12-1610
force-pushed
the
jwt
branch
7 times, most recently
from
63e553e
to
5647ead
Compare
ankur12-1610
force-pushed
the
jwt
branch
2 times, most recently
from
8ae4d93
to
82ad034
Compare
|
@k9ert can you review the changes? |
|
I've added some more comments. Please also fix the tests. Check the development documentation for something called |
ankur12-1610
force-pushed
the
jwt
branch
5 times, most recently
from
142efd4
to
baf1c44
Compare
|
If there is no hiccup, this should now be green. I've also refined the documentation. @ankur12-1610 currently no need to do anything on your side other than maybe reviewing my changes in the documentation. |
|
Oh! @k9ert you updated the doc:sweat_smile:, I was doing it rn ;) Also in the updated version, we've not described python requests any reason for that:thinking:? Also the changes LGTM! |
|
Yeah, i was a bit impatient 😅
What's missing here ? |
Oh yeah it is correct I thought the same curl should be in python requests as well didn't see the line you mentioned which says in python requests we won't use Also there is a minor typo over here https://deploy-preview-1785--specter-desktop-docs.netlify.app/api/#python:~:text=%3Ctoken%3E%20and-,%3Ctoekn_id%3E, it should be |
|
Typo fixed. It might need an explanation: You don't "need" BasicAuth in python because we assume here, that people who are doing python are developing serious integration-solutions which are configurable. Configuration with a token which has been created upfront via ... remember: Ideally we should have done a frontend in order to create the token. We wanted to make it as simple as possible and therefore we skipped the UI and instead created an API endpoint for that as a first fix. However this (BasicAuth) endpoint should only be used by an administrator of Specter in order to create the token which they then configure in some other (python-) application. But an admin will use curl for that, not python. So that's the reason why we don't need the BasicAuth endpoint example in python (even though it would be possible). Or looking it from the other point of view: If you WOULD implement a configuration where you configure Username/Password into the python application and the python application is getting a token and using that one, then the whole exercise would have been completely useless and no security gains would be there. |
Got it, thanks for the info I didn't have any idea about this ;) |
|
We can soon merge this PR. I don't think there is anything left other than doing a normal bugfix release, probably on monday. Next week tuesday afternoon, we can merge this. |
|
There were some little changes of the rest api test in this #1920, I'd suggest to merge this PR first and then check whether the tests are still green (I guess so!) and then merge. |
|
@ankur12-1610 merged, thank you ! |
|
Congrats! @ankur12-1610 |
|
Yaaayy! 🎉 it was a great learning experience, thanks @k9ert and @moneymanolis 😄 |
ankur12-1610
changed the title
This PR basically involves the implementation of JWT authentication in Specter's REST API, I've divided this PR into different milestones:
jwt_tokenfield in theUserMixin/v1alpha/token) which return thejwt_tokenas the JSON response.BasicHTTPAuthto the endpointsTokenHTTPAuthon top of theBasicHTTPAuthDemo (latest progress):
final-sob-demo.mp4