Skip to content

Comments

Update API docs & deprecate some older ones#1360

Merged
jtojnar merged 6 commits intomasterfrom
api-docs
Oct 4, 2022
Merged

Update API docs & deprecate some older ones#1360
jtojnar merged 6 commits intomasterfrom
api-docs

Conversation

@jtojnar
Copy link
Member

@jtojnar jtojnar commented Sep 30, 2022
edited
Loading

  • Emphasize Cookie auth in docs
  • Replace GET /logout with DELETE /api/session/current
  • Deprecate POST /source/delete/:id
  • Make POST /source/update and POST /source/:id/update return 403 on authorization failure (cc @davidoskky for /update specs #1357)

cc @aminecmi

davidoskky
davidoskky reviewed Oct 1, 2022
View reviewed changes
@jtojnar jtojnar force-pushed the api-docs branch 3 times, most recently from 73232b7 to 3ba91ae Compare October 4, 2022 13:30
jtojnar added 6 commits October 4, 2022 15:53
@jtojnar
docs/api-description.json: Emphasize Cookie auth
631f30b 
Increases API version to 4.0.1.

`GET /login` and passing credentials in query string is now officially deprecated.
@jtojnar
api: replace GET /logout with DELETE /api/session/current
a8b820e 
and deprecate the former.

Increases API version to 4.1.0.

Using `GET` method could, in theory, allow a limited DOS attack.
While selfoss should absolutize all relative image `src` attributes when fetching a source, there may be bugs.
Or less likely, a malicious feed could guess the domain and use the absolute URL of `/logout`.
Or if user runs another app in the same context, it could be similarly hijacked.
All those should probably be resolved by other means (e.g. CORS headers) but I doubt anyone will target selfoss users in this way just to annoy them.

`DELETE` method is as close to REST as we can get with session state.
See also the discussion on https://stackoverflow.com/questions/3521290/logout-get-or-post

Also fix the API docs which incorrectly claimed the `/logout` works over `POST`.
@jtojnar
api: Deprecate POST /source/delete/:id
5152d5d 
It was actually introduced after `DELETE /source/:id`:

2050272
@jtojnar
api/update: Return 403 Forbidden on unallowed
d1b04af 
Make the error code explicit.

This is undocumented API but we are still raising API version since apps might have been relying on `200 OK` status code for unallowed access.
@jtojnar
client: Fix MessageFormat string placeholders
7a0aff6
@jtojnar
client: Distinguish login failure from server error
b61c6a2 
The 403 or 500 HTTP errors have nothing to do with selfoss credentials so we should show a different error.
While at it, move the error detection to the request function and remove redundant redirect.
@jtojnar jtojnar merged commit b61c6a2 into master Oct 4, 2022
@jtojnar jtojnar deleted the api-docs branch October 4, 2022 13:53
@jtojnar jtojnar added this to the 2.19 milestone Oct 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@davidoskky davidoskky davidoskky left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.19

Development

Successfully merging this pull request may close these issues.

2 participants

@jtojnar @davidoskky