Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.19.0] - Required authentication updates #671

Closed
mormaer opened this issue Sep 30, 2023 · 0 comments · Fixed by #752
Closed

[0.19.0] - Required authentication updates #671

mormaer opened this issue Sep 30, 2023 · 0 comments · Fixed by #752
Assignees
@mormaer
Labels
enhancement New feature or request

Comments

@mormaer
Copy link
Collaborator

mormaer commented Sep 30, 2023

Introduction

As detailed in the recent Lemmy announcement some changes are required to how authentication works in v0.19.0 and beyond

Authentication
Previous Lemmy versions used to take authentication as query/post parameters. This is insecure and unnecessarily complicated. With 0.19, the jwt token can be passed either as cookie with name auth, or as header in the form Authorization: Bearer .

A major advantage is that this allows us to send proper cache-control headers, with responses to unauthenticated users being cacheable. It also prevents token leaks in web server logs. The login and registration endpoints attempt to set the cookie automatically. If that is supported on your platform, you don’t have to worry about the authentication token at all.

In order for your client to be compatible with both Lemmy 0.18 and 0.19, you should send auth in both ways. Meaning with each API call, send the old auth query/post parameter, as well as the new header or cookie.

A few PRs detailing these changes:
LemmyNet/lemmy#3725
LemmyNet/lemmy#3926
LemmyNet/lemmy#3946
LemmyNet/lemmy#3982

Requirements

The APIClient needs updated to start sending the authentication as detailed above. We should continue to send the old parameter for now and remove it once we see the majority of instances upgrade to this version.
@mormaer mormaer added the enhancement New feature or request label Sep 30, 2023
@mormaer mormaer self-assigned this Sep 30, 2023
@EricBAndrews EricBAndrews mentioned this issue Nov 9, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mormaer mormaer

Labels
enhancement New feature or request
Projects
Development Tracker
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Eric/0.19 headers mlemgroup/mlem
1 participant
@mormaer