New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registration API #77
Registration API #77
Conversation
- Refactor database classes to use entity/mapper pattern - Use automatic class loading - Move logic to RegistrationService class so it is reusable for the api Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took a quick look over it. Looks good in general. Will have a more detailed look and test tomorrow.
capabilities.php
Outdated
use OCP\Capabilities\ICapability; | ||
use OCP\IURLGenerator; | ||
|
||
class Capabilities implements ICapability { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Capabilties can only be queried (currently) when authenticated. nextcloud/server#4510
'registration' => | ||
[ | ||
'enabled' => true, | ||
'apiRoot' => $this->urlGenerator->linkTo( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use v2.php
controller/apicontroller.php
Outdated
|
||
public function __construct($appName, | ||
IRequest $request, | ||
$corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kill this it is the same as the parent
controller/apicontroller.php
Outdated
public function __construct($appName, | ||
IRequest $request, | ||
$corsMethods = 'PUT, POST, GET, DELETE, PATCH', | ||
$corsAllowedHeaders = 'Authorization, Content-Type, Accept', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
controller/apicontroller.php
Outdated
IRequest $request, | ||
$corsMethods = 'PUT, POST, GET, DELETE, PATCH', | ||
$corsAllowedHeaders = 'Authorization, Content-Type, Accept', | ||
$corsMaxAge = 1728000, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
controller/apicontroller.php
Outdated
MailService $mailService, | ||
IL10N $l10n, | ||
Defaults $defaults) { | ||
parent::__construct($appName, $request, $corsMethods, $corsAllowedHeaders, $corsMaxAge); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the args with defaults here if they are the same ;)
controller/apicontroller.php
Outdated
* @PublicPage | ||
* @AnonRateThrottle(limit=5, period=1) | ||
* | ||
* @param $username |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use the typehints ;)
@param type $var
So
@param string $username
service/registrationexception.php
Outdated
$this->setHint($hint); | ||
} | ||
|
||
public function setHint($hint) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setter for exception seems weird....
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Hi @juliushaertl I looked over the changes and most looked good, and with the design of "pending" status it should be feasible if we want to incorporate admina approval feature in the future. Some notes while I was reading the code: Client secretClient secret is held only by the client app, and is used to uniquely identify the client app making the registration request. Q: Why is there need for a client secret at all? why not just check the registration status by Token? Different behavior of
|
@pellaeon Thanks for your feedback. I really appreciate it.
Exactly. The token should not be exposed anywhere else than in the email. Otherwise that would allow users to verify their address without receiving an email.
A new token will be generated and sent to the users email. See https://github.com/pellaeon/registration/pull/77/files#diff-b9e15819672f6817a033ecc447a6e2a2R153
I have not thought about that kind of attack vector until now. But I guess we could at least add the AnonRateThrottle rate limit annotation that Nextcloud has introduced here. At the moment there is no check if there already is a pending registration for the username, but i'll add that as well. I need to think a bit more about this, maybe we need some kind of expiration, as you said. I'll try to finish documentation of the API and the unit tests later today. |
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
Signed-off-by: Julius H盲rtl <jus@bitgrid.net>
36aa1f4
to
ffcc239
Compare
Sorry for the delay. I've added unit tests at least for the new code parts. @pellaeon It might make sense to enable travis ci or some similar ci service on the repo, so we can see if some patches break the unit tests in the future. The API documentation can be found here: https://gist.github.com/juliushaertl/5a1d1132e7370b5ad38fbd6da3cae5b8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure there is stuff we can improve on later. But for now this looks good to me. lets get it in!
Hey @juliushaertl , I encountered this error while upgrading the plugin:
Might be some problems with my Doctrine or MariaDB, I'm looking into it, please let me know if you have a hint. |
Oops, I forgot I had sqlite3 instead of MariaDB on my test server. So it's probably this problem: https://stackoverflow.com/questions/3170634/how-to-solve-cannot-add-a-not-null-column-with-default-value-null-in-sqlite3 Since sqlite3 is only used for testing purposes, I think the user may just drop the existing table and re-enable the plugin. |
This PR implements a basic registration API as an OCS endpoint as discussed in #41
I've included the commit from #76 here, since a lot of refactoring has been done based on this and I think it might easier to review the changes together.
ToDo:
Example usage is documented here for now with some basic curl commands:
https://gist.github.com/juliushaertl/5a1d1132e7370b5ad38fbd6da3cae5b8#example-usage
@pellaeon @rullzer
Maybe @pierreozoux @Gomez want to have a look as well. 馃槈