Sync protocol documentation outdated

[PeterCxy]

I am trying to write my own implementation of Standard Notes sync server (https://github.com/PeterCxy/sfrs), during which I noticed that the documentation on https://docs.standardnotes.org/specification/sync seems to be outdated. Here are several differences I have run into during implementation

1. The /auth and /auth/sign_in interfaces needs to return a user object with uuid and email in addition to the session token
2. The /items/sync interface now uses conflicts instead of unsaved to pass conflicts back to the client

These are the ones I have noticed by far. I think that having the standard documentation up-to-date can facilitate more implementations and also make the protocol itself easier to audit.

In addition, I think that the standard should not force implementations to use standard-compliant JWT, since it contains many pitfalls that makes a truly standard-compliant implementation vulnerable (most real-world implementations should not be actually standard-compliant though). Since I don't think the client should care about what sort of token the server uses, maybe the documentation can just say "the server should return some kind of session token that can be used to identify the user and the session".

[moughxyz]

Indeed, the docs for the server specification have not kept up to date with production changes. However, this is something we're planning on revisiting in the near future, as we begin to better organize the overall ecosystem. JWT will also be deprecated in favor of traditional, revokable sessions. Right now I'm completing a refactor of the client-side shared JavaScript library (which is responsible for interacting with the server), after which I will be turning my attention to the server itself. Both sets of documentation will likely need to be rewritten.

[PeterCxy]

Thanks. I guess I'll just refer to the reference implementation for now. Also it may be good to add some explanation for the sync algorithm in detail, especially for those different types of conflicts, because I spent a whole day to figure out that uuid_conflict is not something my implementation would produce.

My implementation has already switched to a server-managed revocable token, and it looks like all clients are working just fine.

Thank you for your great work on this project.

[moughxyz]

Definitely, plan on working on that soon!