Skip to content
This repository

controller_api has a direct call to mod_oauth #441

Closed
mworrell opened this Issue · 8 comments

3 participants

Marc Worrell Arjan Scherpenisse Andreas Stenius
Marc Worrell
Owner

I think these should be decoupled.

Especially as controller_api is in mod_base.

Arjan Scherpenisse
Owner

What about moving controller_api into mod_oauth?
Since the main purpose of the services api is that it will be used over oauth..?

Andreas Stenius
Owner

Well, for those who require authentication. But there is a scenario in controller_api that can be without mod_oauth.

Also, one might want to use the api with some other authentication mechanism (mozilla has some projects in this area that looks interesting, imho).

So, maybe we can decouple it using notifications?

Arjan Scherpenisse
Owner

Yep something like that would be the wisest.
Although it requires some refactoring of controller_api; there are 3 mod_oauth calls in there right now but it should be only one notification.

Andreas Stenius
Owner

Yeah, but we could simply yank out the bigger part of is_authorized (as in the entire case after ensuring the context) from controller_api and send a #api_is_authorized{} notification with the request data, and have mod_oauth process it in the other end.

No big refactorings needed, just not replace every oauth call with a notification...

Arjan Scherpenisse
Owner

that's what Im trying to prevent, having multiple notifications to establish a single thing, namely giving access to a service..

Arjan Scherpenisse arjan closed this issue from a commit
Arjan Scherpenisse arjan mod_base: Don't let controller_api depend on mod_oauth
Introduce a #service_authorize{} notification which authorization
modules can intercept to perform request checking.

Fixes #441
08a028f
Arjan Scherpenisse
Owner

Boom! :-)

Andreas Stenius
Owner

Nice! :)

But, no doc?

Arjan Scherpenisse
Owner

Did not have time yet
doing it right now :p

Mawuli Adzaku mawuli-ypa referenced this issue from a commit in mawuli-ypa/zotonic
Arjan Scherpenisse arjan mod_base: Don't let controller_api depend on mod_oauth
Introduce a #service_authorize{} notification which authorization
modules can intercept to perform request checking.

Fixes #441
d9576e3
Mawuli Adzaku mawuli-ypa referenced this issue from a commit in mawuli-ypa/zotonic
Arjan Scherpenisse arjan doc: Document the decoupling of service authentication/authorization
Thanks @kaos for the reminder :)

See #441
9890401
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.