Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

controller_api has a direct call to mod_oauth #441

Closed
mworrell opened this Issue Oct 6, 2012 · 8 comments

Comments

Projects
None yet
3 participants
Owner

mworrell commented Oct 6, 2012

I think these should be decoupled.

Especially as controller_api is in mod_base.

@arjan arjan was assigned Nov 8, 2012

Owner

arjan commented Dec 4, 2012

What about moving controller_api into mod_oauth?
Since the main purpose of the services api is that it will be used over oauth..?

Owner

kaos commented Dec 7, 2012

Well, for those who require authentication. But there is a scenario in controller_api that can be without mod_oauth.

Also, one might want to use the api with some other authentication mechanism (mozilla has some projects in this area that looks interesting, imho).

So, maybe we can decouple it using notifications?

Owner

arjan commented Dec 7, 2012

Yep something like that would be the wisest.
Although it requires some refactoring of controller_api; there are 3 mod_oauth calls in there right now but it should be only one notification.

Owner

kaos commented Dec 7, 2012

Yeah, but we could simply yank out the bigger part of is_authorized (as in the entire case after ensuring the context) from controller_api and send a #api_is_authorized{} notification with the request data, and have mod_oauth process it in the other end.

No big refactorings needed, just not replace every oauth call with a notification...

Owner

arjan commented Dec 7, 2012

that's what Im trying to prevent, having multiple notifications to establish a single thing, namely giving access to a service..

@arjan arjan closed this in 08a028f Dec 7, 2012

Owner

arjan commented Dec 7, 2012

Boom! :-)

Owner

kaos commented Dec 7, 2012

Nice! :)

But, no doc?

Owner

arjan commented Dec 8, 2012

Did not have time yet
doing it right now :p

@arjan arjan added a commit that referenced this issue Dec 8, 2012

@arjan arjan doc: Document the decoupling of service authentication/authorization
Thanks @kaos for the reminder :)

See #441
8788a42

@rpip rpip pushed a commit to rpip/zotonic that referenced this issue Aug 12, 2013

@arjan arjan mod_base: Don't let controller_api depend on mod_oauth
Introduce a #service_authorize{} notification which authorization
modules can intercept to perform request checking.

Fixes #441
d9576e3

@rpip rpip pushed a commit to rpip/zotonic that referenced this issue Aug 12, 2013

@arjan arjan doc: Document the decoupling of service authentication/authorization
Thanks @kaos for the reminder :)

See #441
9890401
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment