Closed Bug 1230604 Opened 10 years ago Closed 10 years ago

Add non-session auth method to API

Categories

(developer.mozilla.org Graveyard :: BrowserCompat, defect)

Product:
developer.mozilla.org Graveyard
Component:
BrowserCompat
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwhitlock, Assigned: jwhitlock)

References

Details

(Whiteboard: [bc:infra][bc:milestone=bicycle])

What problem would this feature solve? ====================================== When using a browser, users are authenticated to https://browsercompat.herokuapp.com using a session cookie, and forms use a CSRF token. This is inappropriate for 3rd party apps, either browser-based (such as the planned contribution interface) or server based (such as kuma making async requests on behalf of an MDN users). Who has this problem? ===================== All contributors to MDN How do you know that the users identified above have this problem? ================================================================== The BC contribution project (https://github.com/mdn/browsercompat-contribution) can not create or update resources. How are the users identified above solving this problem now? ============================================================ BC tools emulate a browser-based login, and use the session for further requests. CSRF tokens are added as the X-CSRFToken header. Do you have any suggestions for solving the problem? Please explain in detail. ============================================================================== Django REST Framework supports several auth methods [1], including token support. Third parties provide additional standard auth methods such as OAuth tokens. Tutorials [2] and libraries [2] show how to integrate authentication into an Ember.js app [1] http://www.django-rest-framework.org/api-guide/authentication/ [2] http://log.simplabs.com/post/57702291669/better-authentication-in-emberjs [3] http://log.simplabs.com/post/63565686488/embersimpleauth Is there anything else we should know? ====================================== There is an additional problem of authentication between MDN and BrowserCompat. That is a separate issue - this the "good enough" authentication to unblock the contribution interface for alpha users.
Blocks: 996570
Component: General → BrowserCompat
Blocks: 1240095
Severity: enhancement → major
Keywords: in-triage
OS: Other → All
Summary: [Compat Data] Add non-session auth method to API → Add non-session auth method to API
Whiteboard: [specification][type:feature] → [bc:infra]
Blocks: 1240757
No longer blocks: 996570
Whiteboard: [bc:infra] → [bc:infra][bc:milestone=bicycle]
Assignee: nobody → jwhitlock
Severity: major → normal
Status: NEW → ASSIGNED
Commits pushed to master at https://github.com/mdn/browsercompat https://github.com/mdn/browsercompat/commit/4b16636f626ff2a762a3cfadeb6e03406e516d58 bug 1230604 - Fix title on about page https://github.com/mdn/browsercompat/commit/06c0c4ab6cd3dcb09b6b8c8af399793a04b6ab01 bug 1230604 - Stop checking contents of 404 page django-oauth-toolkit will add a new 404 page template, breaking tests that assert the content of the 404 page. The status code check should be sufficient. https://github.com/mdn/browsercompat/commit/73e0b6098fbac0215b713783be0f5685211b720f bug 1230604 - Add OAuth2 endpoints Add django-oauth-toolkit, with little configuration, to gain OAuth2 endpoints. https://github.com/mdn/browsercompat/commit/14871013c3566bec5f09074d6c9faad1107b0708 bug 1230604 - Enable oauth2 token authentication The oauth2 authentication flow can call the parser in an alternate way, so an explicit get_parser_context is needed for views with relationship links. https://github.com/mdn/browsercompat/commit/337ff5945eff562b568b6683da67c38cc53134d2 bug 1230604 - Add OAuth2 token and app management Add OAuth2 token and application management pages to the user profile, by re-writing as Jinja2 templates extending the profile template. https://github.com/mdn/browsercompat/commit/3eb3ad74a65c5fd73767ff15bf17b728904bd846 bug 1230604 - Style token authorization in profile The built-in token authorization view adds an 'url' parameter to the template context when rendering an error, which interferes with the URL reverse method of the same name. Create and use a derived token authorization view that omits the 'url' parameter. https://github.com/mdn/browsercompat/commit/1503c2c8235e76bf09e6115c1c09de8c9e4a216d bug 1230604 - Add docs for OAuth2 apps and tokens https://github.com/mdn/browsercompat/commit/d51ea41028ad8af589d4d4f9a2ee510cffcb7360 bug 1230604 - Fix spaces and quotes https://github.com/mdn/browsercompat/commit/923184419013b52d20994875fdf61eb2dbc3211e Merge pull request #97 from mdn/oauth2_1230604 bug 1230604 - Add OAuth Provider support r=willkg
Commits pushed to master at https://github.com/mdn/browsercompat https://github.com/mdn/browsercompat/commit/da1ab18c87b8fed587e09bef5eac53ab4907c3f1 bug 1230604 - Better handling of unicode responses Detect if output is UTF-8 capable, and only encode if it is not. https://github.com/mdn/browsercompat/commit/3f2dd19fa0e60da9c9b13c9e6d8c06f7ee892fe8 bug 1230604 - Use tokens in integration tests Generate and user OAuth2 tokens in integration tests. This impacts all the request headers for tests requiring write access. docs/v2/raw/changeset-related-user-response-body.json also changed, but this is unexpected. The user instance cache is not being invalidated when a changeset is created, and the cache is populated before the first change when OAuth2 tokens are used. This is tracked in the new bug 1247690. https://github.com/mdn/browsercompat/commit/c28d534242a40626aed8b1500fff01a2c2d2be15 Merge pull request #107 from mdn/docs_use_oauth2_1230604 fix bug 1230604 - Use OAuth2 tokens in integration tests and documentation.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.