Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Account Update Route #5

Closed
gr2m opened this issue Nov 14, 2015 · 3 comments
Closed

Remove Account Update Route #5

gr2m opened this issue Nov 14, 2015 · 3 comments

Comments

@gr2m
Copy link
Member

gr2m commented Nov 14, 2015

I think we can remove the PATCH /session/account route entirely, and make all account properties after sign up read only, without exception. The security requirements / workflows to change a username or a password are app-specific, so I'd suggest that we use the requests API for that. I think it's perfectly suited for that.

In Hoodie’s implementation, the handlers for the different requests can be defined with requests option passed to the hapi plugin. For example the following request handler would require a x-password header to be sent, and the PUT request against CouchDB would happen with basic auth, using the username and password, and will therefore fail if the password is incorrect. The user's session is ignored entirely.

var options = {
  /// ...
  requests: {
    updateAccount: function (request, reply) {
      var server = request.connection.server
      var user = request.auth.credentials
      var password = request.headers['x-password']

      var promise = server.plugins.account.api.accounts.update(user.id, {
        username: request.payload.username,
        password: request.payload.password
      }, {
        auth: {
          username: user.username,
          password: password
        }
      })

      reply(promise)
    }
  }
}

That would also make the separation of accounts & profiles more clear.

Any thoughts @patriciagarcia @tthew?
@gr2m gr2m mentioned this issue Nov 17, 2015
Closed
@patriciagarcia
Copy link
Collaborator

👍

1 similar comment
@HipsterBrown
Copy link

👍

gr2m added a commit that referenced this issue Nov 21, 2015
@gr2m
fix: remove PATCH /session/account
6617383 
BREAKING CHANGE:

We decided to remove the ability to edit accounts by users themselves, as the business
requirements are different from app to app, so the /requests API can be used for it
instead. See #5
@gr2m gr2m mentioned this issue Nov 21, 2015
Closed
@gr2m
Copy link
Member Author

gr2m commented Nov 26, 2015

fixed via #7

@gr2m gr2m closed this as completed Nov 26, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

remove PATCH /session/account hoodiehq/account-json-api
3 participants
@gr2m @patriciagarcia @HipsterBrown