From e6eae25e1d8231fdfd0c737f3a498c1f4526e7a8 Mon Sep 17 00:00:00 2001 From: Alastair Mucklow Date: Thu, 11 Jun 2020 17:28:19 +0100 Subject: [PATCH 1/2] Add caveat for known bug --- .../get-started/authentication/gs-authentication-session.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/guides/v2.3/get-started/authentication/gs-authentication-session.md b/src/guides/v2.3/get-started/authentication/gs-authentication-session.md index 08351ab616f..64bd8e728b9 100644 --- a/src/guides/v2.3/get-started/authentication/gs-authentication-session.md +++ b/src/guides/v2.3/get-started/authentication/gs-authentication-session.md @@ -23,9 +23,7 @@ For example, if a customer is logged in to the Magento storefront and the [JavaS `GET /rest/V1/customers/me` -Similarly, if an admin is logged in to the Magento Admin -and the JavaScript widget `Magento_Customer::group` API, details for the logged-in admin are fetched. -The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the `Magento_Customer::group` resource. +Similarly, if an admin is logged in to the Magento Admin and the JavaScript widget invokes the `Magento_Customer::group` API, details for the logged-in admin are fetched. The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the `Magento_Customer::group` resource. [**Note:** this is the intended behaviour. In fact admin session-based authentication is not currently possible for API endpoints owing to [a bug](https://github.com/magento/magento2/issues/9138).] {:.bs-callout-info} The session based authentication functionality is restricted to only allow for AJAX calls and not direct browser requests due to security vulnerabilities. A developer can create a custom storefront widget that can issue requests without additional authentication steps. From 4131c3887b0db6ac17cf9356b1b608e3af420ef8 Mon Sep 17 00:00:00 2001 From: Donald Booth Date: Thu, 11 Jun 2020 12:30:18 -0500 Subject: [PATCH 2/2] Grammar and formatting. --- .../authentication/gs-authentication-session.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/guides/v2.3/get-started/authentication/gs-authentication-session.md b/src/guides/v2.3/get-started/authentication/gs-authentication-session.md index 64bd8e728b9..cb8ac77d608 100644 --- a/src/guides/v2.3/get-started/authentication/gs-authentication-session.md +++ b/src/guides/v2.3/get-started/authentication/gs-authentication-session.md @@ -23,10 +23,11 @@ For example, if a customer is logged in to the Magento storefront and the [JavaS `GET /rest/V1/customers/me` -Similarly, if an admin is logged in to the Magento Admin and the JavaScript widget invokes the `Magento_Customer::group` API, details for the logged-in admin are fetched. The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the `Magento_Customer::group` resource. [**Note:** this is the intended behaviour. In fact admin session-based authentication is not currently possible for API endpoints owing to [a bug](https://github.com/magento/magento2/issues/9138).] +Similarly, if an admin is logged in to the Magento Admin and the JavaScript widget invokes the `Magento_Customer::group` API, details for the logged-in admin are fetched. The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the `Magento_Customer::group` resource. - {:.bs-callout-info} -The session based authentication functionality is restricted to only allow for AJAX calls and not direct browser requests due to security vulnerabilities. A developer can create a custom storefront widget that can issue requests without additional authentication steps. +{:.bs-callout-warning} +Admin session-based authentication is not currently possible for API endpoints. +The session based authentication functionality is restricted to AJAX calls. Direct browser requests cannot be made due to security vulnerabilities. A developer can create a custom storefront widget that can issue requests without additional authentication steps. ## Related topic