Re: [fossil-users] JSON login demo: is this interface acceptable?

[Stephan Beal]

On Fri, Sep 16, 2011 at 4:18 AM, Ron Wilson ronw.m...@gmail.com wrote:

 On Wed, Sep 14, 2011 at 6:40 PM, Stephan Beal Instead of sending the
 password in plain text, you hash the password
 with a nonce received from the server. Of course, to get the nonce,
 you have to attempt to login without supplying credentials. The server
 would then respond with a payload containing the nonce to use in the
 hash.


The problem with that is that we need the hash routine for every client
language :/.

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] JSON login demo: is this interface acceptable?

[Joshua Paine]

On 9/15/2011 10:18 PM, Ron Wilson wrote:

For the password on GET, you could mimic what HTTP-Auth-Digest does.


AFAIK, in every programming context where you'd want to make a JSON 
request, POST is as easy to do as GET. The main reason to support GET at 
all is to make it easy for people to experiment with the API manually, 
which would be completely defeated by requiring a two-request login 
process and hashing.


--
Joshua Paine
LetterBlock: Web Applications Built With Joy
http://letterblock.com/
301-576-1920
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

[fossil-users] JSON login demo: is this interface acceptable?

[Stephan Beal]

Hi, all!

Just implemented...

Request:

GET: /json/login?n=namep=pass

Param names n and p are for compatibility with the current usage, and
may optionally be written out as name and password.

or POST: /json/login
POST request body: { payload:{name:..., password:...} }

(POSTed login data doesn't land in the apache logs, so it's highly
preferred!)

Response:
{
fossil:ff6485c5c8a81716dc9d8a70e4eff3db623f5d54,
timestamp:1316035948,
payload:BCB43F00AF73F290571512747DDFC8B3358C47836B4CFA56D9/CE59BB9F186226D8/stephan
}

The response payload is the value of the fossil cookie, which also gets set:

Set-Cookie:fossil-CE59BB9F186226D8=BCB43F00AF73F290571512747DDFC8B3358C47836B4CFA56D9%2FCE59BB9F186226D8%2Fstephan;
Path=/cgi-bin/fossil.cgi; expires=Fri, 14 Sep 2012 04:32:28 GMT; HttpOnly;
Version=1

i might change the payload to also include the cookie name (fossil-CE5... in
the example above), but i don't yet know if i need it at this level.

i haven't yet done anonymous user support (that requires special handling
because of the random password). Nor have i yet thoroughly tested THIS
support (it's literally under 10 minutes old). Seems to work.

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users