You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Sergey Beryozkin <sb...@gmail.com> on 2013/03/25 09:45:58 UTC

Re: API query

Hi
On 20/02/13 19:16, Sergey Beryozkin wrote:
> I wonder if
>
> "GET /users?username={username}&pwd={password}"
>
> is safe enough, as these URIs might get cached somewhere given it is GET
> (though not sure if the caching of URIs can happen with HTTPS).
>
> Might make sense considering treating this as an action request, with
> the credentials being POSTed to /users resource and expecting a
> validated user rep back,
>

Sorry, not replying directly to Jan's response the other day where he 
recommended to use a Cache directive to disable the caching of the data, 
I can not find it in my mail box :-)

I'm looking at the possible use of OAuth2 bearer tokens within URI query 
components, and can see the people warning of the possible 'leaks' of 
these potentially sensitive query data in the logs. Whether it is a 
concern or not for Syncope I'm not sure, but thought I'd mention it FYI

Cheers, Sergey

>
>
> On 20/02/13 16:06, Colm O hEigeartaigh wrote:
>> A second thought is that a API to return the User matching the given
>> username + password would be quite nice, unless there is another way of
>> doing this that I am missing. WDYT?
>>
>> Colm.
>>
>> On Wed, Feb 20, 2013 at 4:04 PM, Colm O
>> hEigeartaigh<co...@apache.org>wrote:
>>
>>>
>>> Thanks Jan, I have updated it. The "old" API method returns "null" if
>>> the
>>> User does not exist, whereas the new API does not seem to return
>>> anything.
>>> Would it not be better in both cases to return "false" explicitly? Or
>>> are
>>> there backwards compatilbity concerns about changing this?
>>>
>>> Colm.
>>>
>>>
>>> On Wed, Feb 20, 2013 at 4:00 PM, Jan
>>> Bernhardt<jb...@talend.com>wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> The description is wrong, this method returns a boolean.
>>>>
>>>> Best regards.
>>>> Jan
>>>>
>>>>> -----Original Message-----
>>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>>>> Sent: Mittwoch, 20. Februar 2013 16:48
>>>>> To: dev@syncope.apache.org
>>>>> Subject: API query
>>>>>
>>>>> Hi all,
>>>>>
>>>>> From the wiki:
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
>>>>> RESTAPIupgrade-UserService
>>>>>
>>>>> GET /user/verifyPassword/{username}?password={password} GET
>>>>> /users?username={username}&pwd={password} Returns user if username
>>>>> and password match with an existing account.
>>>>> This method actually returns a boolean not the user, and so the
>>>> description is
>>>>> invalid.
>>>>>
>>>>> Could someone clarify whether the new API is intended to return a
>>>> boolean
>>>>> or the User?
>>>>>
>>>>> Colm.
>>>>>
>>>>>
>>>>> --
>>>>> Colm O hEigeartaigh
>>>>>
>>>>> Talend Community Coder
>>>>> http://coders.talend.com
>>>>
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>>
>
>