-
Notifications
You must be signed in to change notification settings - Fork 108
GET /account/devices should not return session token ids #1119
Comments
It's been a while since I was deep down in the mechanics of our session tokens - why do they not know this? |
I'm not sure I can answer why. But I might be operating on the wrong premise here so if I describe things as far as I understand them, perhaps you can set me straight. Fwiw, the session auth stuff is still basically magic to me, I'll dig into it some more tomorrow. Anyway, my understanding:
|
We should avoid this; the FWIW, you can derive
Another potential reason for returning it, is to identify the device(s) in a broader list of sessions. Since some sessions have devices and some don't, we talked about the "devices view" doing something like:
But there's other ways to achieve, and it's not clear if we actually need it, so shrug. |
Which is to say, I think we'll continue to evolve the API on this point, but your proposal sounds good to me at this time :-) |
Another day, another stupid problem with my implementation of the devices API. :)
Currently the
/v1/account/devices
endpoint returns a propertysessionToken
which contains the token id. But API clients don't know what their token id is, so this information is useless and they can't identify themselves in the returned array.I'm pretty sure it was suggested at some point that I return an
isCurrentDevice
boolean property instead, so that is probably the correct thing to do.It also highlights another gap in the test coverage as I wasn't asserting that the returned
sessionToken
property was doing what I thought it did. The fix for this issue should add appropriate assertions totest/remote/devices.js
.We also need to update the docs and the client code.
The text was updated successfully, but these errors were encountered: