Registration API #77
Registration API #77
Conversation
- Refactor database classes to use entity/mapper pattern - Use automatic class loading - Move logic to RegistrationService class so it is reusable for the api Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
capabilities.php
Outdated
| use OCP\Capabilities\ICapability; | ||
| use OCP\IURLGenerator; | ||
|
|
||
| class Capabilities implements ICapability { |
There was a problem hiding this comment.
Capabilties can only be queried (currently) when authenticated. nextcloud/server#4510
| 'registration' => | ||
| [ | ||
| 'enabled' => true, | ||
| 'apiRoot' => $this->urlGenerator->linkTo( |
controller/apicontroller.php
Outdated
|
|
||
| public function __construct($appName, | ||
| IRequest $request, | ||
| $corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
There was a problem hiding this comment.
kill this it is the same as the parent
controller/apicontroller.php
Outdated
| public function __construct($appName, | ||
| IRequest $request, | ||
| $corsMethods = 'PUT, POST, GET, DELETE, PATCH', | ||
| $corsAllowedHeaders = 'Authorization, Content-Type, Accept', |
controller/apicontroller.php
Outdated
| IRequest $request, | ||
| $corsMethods = 'PUT, POST, GET, DELETE, PATCH', | ||
| $corsAllowedHeaders = 'Authorization, Content-Type, Accept', | ||
| $corsMaxAge = 1728000, |
controller/apicontroller.php
Outdated
| MailService $mailService, | ||
| IL10N $l10n, | ||
| Defaults $defaults) { | ||
| parent::__construct($appName, $request, $corsMethods, $corsAllowedHeaders, $corsMaxAge); |
There was a problem hiding this comment.
Remove the args with defaults here if they are the same ;)
controller/apicontroller.php
Outdated
| * @PublicPage | ||
| * @AnonRateThrottle(limit=5, period=1) | ||
| * | ||
| * @param $username |
There was a problem hiding this comment.
use the typehints ;)
@param type $varSo
@param string $username
service/registrationexception.php
Outdated
| $this->setHint($hint); | ||
| } | ||
|
|
||
| public function setHint($hint) { |
There was a problem hiding this comment.
Setter for exception seems weird....
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
|
Hi @juliushaertl I looked over the changes and most looked good, and with the design of "pending" status it should be feasible if we want to incorporate admina approval feature in the future. Some notes while I was reading the code: Client secretClient secret is held only by the client app, and is used to uniquely identify the client app making the registration request. Q: Why is there need for a client secret at all? why not just check the registration status by Token? Different behavior of
|
|
@pellaeon Thanks for your feedback. I really appreciate it.
Exactly. The token should not be exposed anywhere else than in the email. Otherwise that would allow users to verify their address without receiving an email.
A new token will be generated and sent to the users email. See https://github.com/pellaeon/registration/pull/77/files#diff-b9e15819672f6817a033ecc447a6e2a2R153
I have not thought about that kind of attack vector until now. But I guess we could at least add the AnonRateThrottle rate limit annotation that Nextcloud has introduced here. At the moment there is no check if there already is a pending registration for the username, but i'll add that as well. I need to think a bit more about this, maybe we need some kind of expiration, as you said. I'll try to finish documentation of the API and the unit tests later today. |
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
juliushaertl
force-pushed
the
registration-api
branch
from
36aa1f4
to
ffcc239
Compare
|
Sorry for the delay. I've added unit tests at least for the new code parts. @pellaeon It might make sense to enable travis ci or some similar ci service on the repo, so we can see if some patches break the unit tests in the future. The API documentation can be found here: https://gist.github.com/juliushaertl/5a1d1132e7370b5ad38fbd6da3cae5b8 |
|
Hey @juliushaertl , I encountered this error while upgrading the plugin: Might be some problems with my Doctrine or MariaDB, I'm looking into it, please let me know if you have a hint. |
|
Oops, I forgot I had sqlite3 instead of MariaDB on my test server. So it's probably this problem: https://stackoverflow.com/questions/3170634/how-to-solve-cannot-add-a-not-null-column-with-default-value-null-in-sqlite3 Since sqlite3 is only used for testing purposes, I think the user may just drop the existing table and re-enable the plugin. |
This PR implements a basic registration API as an OCS endpoint as discussed in #41
I've included the commit from #76 here, since a lot of refactoring has been done based on this and I think it might easier to review the changes together.
ToDo:
Example usage is documented here for now with some basic curl commands:
https://gist.github.com/juliushaertl/5a1d1132e7370b5ad38fbd6da3cae5b8#example-usage
@pellaeon @rullzer
Maybe @pierreozoux @Gomez want to have a look as well. 馃槈