Re: API query

Mon, 25 Mar 2013 01:46:38 -0700 

Hi
On 20/02/13 19:16, Sergey Beryozkin wrote:

I wonder if

"GET /users?username={username}&pwd={password}"

is safe enough, as these URIs might get cached somewhere given it is GET
(though not sure if the caching of URIs can happen with HTTPS).

Might make sense considering treating this as an action request, with
the credentials being POSTed to /users resource and expecting a
validated user rep back,
Sorry, not replying directly to Jan's response the other day where he recommended to use a Cache directive to disable the caching of the data, I can not find it in my mail box :-)
I'm looking at the possible use of OAuth2 bearer tokens within URI query components, and can see the people warning of the possible 'leaks' of these potentially sensitive query data in the logs. Whether it is a concern or not for Syncope I'm not sure, but thought I'd mention it FYI 

Cheers, Sergey




On 20/02/13 16:06, Colm O hEigeartaigh wrote:

A second thought is that a API to return the User matching the given
username + password would be quite nice, unless there is another way of
doing this that I am missing. WDYT?

Colm.

On Wed, Feb 20, 2013 at 4:04 PM, Colm O
hEigeartaigh<cohei...@apache.org>wrote:



Thanks Jan, I have updated it. The "old" API method returns "null" if
the
User does not exist, whereas the new API does not seem to return
anything.
Would it not be better in both cases to return "false" explicitly? Or
are
there backwards compatilbity concerns about changing this?

Colm.


On Wed, Feb 20, 2013 at 4:00 PM, Jan
Bernhardt<jbernha...@talend.com>wrote:


Hi Colm,

The description is wrong, this method returns a boolean.

Best regards.
Jan


-----Original Message-----
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Mittwoch, 20. Februar 2013 16:48
To: dev@syncope.apache.org
Subject: API query

Hi all,

From the wiki:

https://cwiki.apache.org/confluence/display/SYNCOPE/REST+API+upgrade#
RESTAPIupgrade-UserService

GET /user/verifyPassword/{username}?password={password} GET
/users?username={username}&pwd={password} Returns user if username
and password match with an existing account.
This method actually returns a boolean not the user, and so the

description is

invalid.

Could someone clarify whether the new API is intended to return a

boolean

or the User?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com






--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to