| Time |
S |
Nick |
Message |
| 01:25 |
|
|
tr3onlin_ joined #rest |
| 02:40 |
|
|
MLMitch joined #rest |
| 02:42 |
|
|
proteusguy joined #rest |
| 02:43 |
|
|
tr3online joined #rest |
| 02:45 |
|
|
blahdeblah_ joined #rest |
| 02:54 |
|
|
blahdeblah joined #rest |
| 02:54 |
|
|
blahdeblah joined #rest |
| 03:00 |
|
|
fsvehla joined #rest |
| 03:13 |
|
|
tr3online joined #rest |
| 03:55 |
|
|
tr3onlin_ joined #rest |
| 04:33 |
|
|
lemur joined #rest |
| 05:24 |
|
|
MLMitch joined #rest |
| 05:35 |
|
|
tr3online joined #rest |
| 06:25 |
|
|
fsvehla joined #rest |
| 08:12 |
|
|
lemur joined #rest |
| 08:33 |
|
|
DrCode joined #rest |
| 08:34 |
|
|
MLMitch joined #rest |
| 09:33 |
|
|
mezod joined #rest |
| 09:49 |
|
|
blahdeblah joined #rest |
| 09:49 |
|
|
blahdeblah joined #rest |
| 10:02 |
|
|
blahdeblah joined #rest |
| 10:02 |
|
|
blahdeblah joined #rest |
| 10:13 |
|
|
graste joined #rest |
| 10:23 |
|
|
tr3online joined #rest |
| 10:25 |
|
|
azer_ joined #rest |
| 10:27 |
|
|
blahdeblah joined #rest |
| 10:36 |
|
|
tr3online joined #rest |
| 10:45 |
|
|
rue joined #rest |
| 11:21 |
|
|
azer_ joined #rest |
| 11:45 |
|
|
adaro joined #rest |
| 11:45 |
|
adaro |
la |
| 12:47 |
|
|
Left_Turn joined #rest |
| 13:46 |
|
|
Left_Turn joined #rest |
| 14:39 |
|
|
MLMitch joined #rest |
| 15:02 |
|
|
azer_ joined #rest |
| 15:48 |
|
mezod |
in case someone feels like answering: http://stackoverflow.com/questions/27876306/user-registration-authentication-flow-on-a-rest-api |
| 15:57 |
|
|
_ollie left #rest |
| 16:05 |
|
|
azer_ joined #rest |
| 16:16 |
|
|
fragamus joined #rest |
| 17:05 |
|
|
azer_ joined #rest |
| 17:44 |
|
pdurbin |
mezod: nice write up! I hope StackOverflow ends up being a good place to discuss this. |
| 17:44 |
|
mezod |
thanks pdurbin :) |
| 17:44 |
|
mezod |
yeah, seems to be a lot of disagreement |
| 17:45 |
|
mezod |
read at least 30 related questions and everyone has a different answer |
| 17:50 |
|
pdurbin |
I was hoping there would be a Discourse installation that would be on suitable for this topic but I couldn't find one at http://meta.discourse.org/t/please-visit-our-discourse-forum-directory/3102 . StackOverflow is best for short questions. |
| 17:58 |
|
mezod |
oh, had never heard of discourse |
| 18:06 |
|
pdurbin |
Discourse is by one of the founders of StackOverflow/StackExchange. In annoucing Discourse, he said, "At Stack Exchange, one of the tricky things we learned about Q&A is that if your goal is to have an excellent signal to noise ratio, you must suppress discussion." http://blog.codinghorror.com/civilized-discourse-construction-kit/ |
| 18:06 |
|
|
azer_ joined #rest |
| 18:07 |
|
pdurbin |
but sometimes discussion is exactly what you need, which is why I like this channel :) |
| 18:10 |
|
trygvis |
mezod: I've tried to read your post several times, but I just get confused |
| 18:11 |
|
trygvis |
I think you would make life much easier for yourself if you don't mix the API and the endpoints for the SPA |
| 18:11 |
|
trygvis |
they look the same, but they never end up being the same |
| 18:12 |
|
trygvis |
and the whole token/user thing is just strange to me |
| 18:20 |
|
pdurbin |
the token is like GitHub's "personal API access tokens", right? makes sense to me |
| 18:22 |
|
trygvis |
a token at github implies that everyting else is set up, the user exist, it has a password and its email has been validated |
| 18:22 |
|
trygvis |
I just find the whole premise strange |
| 18:23 |
|
trygvis |
as I said yesterday, I would separate between the API and the SPA. for the SPA I would just use a normal http cookie-based session |
| 18:27 |
|
pdurbin |
I understand the desired end state. That a user who just signed up for the service has his API token in his hand. The question is if you can get to that end state entirely through an API. And email validation adds an extra wrinkle. |
| 18:29 |
|
|
azer_ joined #rest |
| 18:30 |
|
trygvis |
that in itself is easy. it's just like the rest bucks example |
| 18:31 |
|
mezod |
trygvis: I'm confused myself too :P |
| 18:31 |
|
mezod |
maybe that's the root of the problem |
| 18:32 |
|
trygvis |
it probably doesn't help :) |
| 18:33 |
|
mezod |
the token (for now) is just a random string attached to a user id, that my API uses to authenticate each request |
| 18:33 |
|
mezod |
it's basically like if I were using basic auth, but without sending the user/pass in every request |
| 18:34 |
|
trygvis |
but yet you talk about having token before you have a user |
| 18:34 |
|
mezod |
in the future i'd like to make this token expire at some point but that's not the case |
| 18:34 |
|
trygvis |
why do you need this signup thing in there? |
| 18:34 |
|
mezod |
no, where do I say that? |
| 18:34 |
|
mezod |
hmm |
| 18:34 |
|
mezod |
ok here's how I understand it |
| 18:34 |
|
mezod |
a user wants to use the app |
| 18:35 |
|
mezod |
fills the register form, this sends a POST /users request with username, email and password. The API captures the fields and creates a new User. Additionally, the API creates a new token for the user. |
| 18:36 |
|
mezod |
Now, for the user to be able to immediately start using the app, he needs that token, so from my POV, the API should return the token as Response of that POST /users. |
| 18:36 |
|
mezod |
But as the token is not from the User model, this would be breaking REST rules. |
| 18:37 |
|
trygvis |
do you want to have multiple tokens for a single user? |
| 18:37 |
|
mezod |
in the future, or a signin, the user just sends user/pw and gets the token in return |
| 18:38 |
|
mezod |
trygvis: at the moment no, but I wanted to separe the logic of the tokens from the user |
| 18:40 |
|
trygvis |
I think you should create a separate bootstrap application to create the initial token for a user |
| 18:40 |
|
trygvis |
"application" as in the thesis |
| 18:41 |
|
mezod |
you mean a different backend? |
| 18:41 |
|
trygvis |
no, not at all |
| 18:41 |
|
trygvis |
wait, trying to find a reference |
| 18:42 |
|
mezod |
sorry I don't understand what do you mean by "separate bootstrap application" |
| 18:42 |
|
trygvis |
yeah, I realize |
| 18:44 |
|
trygvis |
an application in a rest context is a set of interactions between a client and a server |
| 18:44 |
|
|
_ollie joined #rest |
| 18:44 |
|
trygvis |
where a server is just a bunch of resources. not a hardware box or single application on a machine |
| 18:44 |
|
trygvis |
it's like a use case in traditonal UML modelling |
| 18:45 |
|
trygvis |
so "create user and make a first token" is an appliation. "create and publish article" might be another application |
| 18:45 |
|
mezod |
aha |
| 18:46 |
|
mezod |
you mean the token shouldn't be created at POST /users, but at POST /tokens for example |
| 18:46 |
|
mezod |
so a register form, should execute both requests somehow? |
| 18:46 |
|
trygvis |
nah, a completely different place |
| 18:47 |
|
trygvis |
I'd require all other endpoints other than this first initial endpoint to have a valid token |
| 18:47 |
|
mezod |
trygvis: yes that's exaclty what I have at the moment |
| 18:47 |
|
trygvis |
so you can post a form that is known out of bounds to /bootstrap, and after that you can follow any links from the resulting interacting |
| 18:47 |
|
trygvis |
interaction |
| 18:49 |
|
mezod |
hmm |
| 18:52 |
|
mezod |
you are referring to the case when a request that requires authentication is made without sending the necessary auth right? |
| 18:57 |
|
|
lemur joined #rest |
| 18:58 |
|
trygvis |
hm, in which case? |
| 18:59 |
|
|
fragamus joined #rest |
| 19:00 |
|
trygvis |
I'm a bit afk, making dinner |
| 19:04 |
|
mezod |
i dont know, i am rather confused by your last sentence, what does that have to do with user registration and token retrieval? :p |
| 19:13 |
|
trygvis |
I think you can forget it :) |
| 19:14 |
|
mezod |
hehe, i am not sure if I am trying to do something special, I'll need to just try to contact how did they do it in any other SPA! |
| 19:16 |
|
trygvis |
I still don't think any applications would make something as complicated as you are |
| 19:17 |
|
mezod |
i thought i was doing the simple version :p |
| 19:17 |
|
mezod |
everyone talks about oauth |
| 19:17 |
|
mezod |
you think they just sned basic auth with every request? |
| 19:19 |
|
pdurbin |
mezod: a token like you're doing seems more simple that oauth, I agree |
| 19:19 |
|
pdurbin |
than* |
| 19:20 |
|
mezod |
but? :P |
| 19:20 |
|
trygvis |
for browser, a classic browser cookie is the shit |
| 19:20 |
|
trygvis |
browsers |
| 19:21 |
|
mezod |
people uses cookies with api rest? |
| 19:22 |
|
mezod |
because for me cookies represent the opposite idea of rest :S |
| 19:23 |
|
Jarda |
well if the cookie is only used as an access token, then it does not differ much from Authorization-header, IMO |
| 19:24 |
|
mezod |
exactly |
| 19:25 |
|
mezod |
i'll read more on cookies though, I am not quite sure of how they work anymore |
| 19:28 |
|
mezod |
trygvis: if I understand correctly, you mean using cookies to store the basic auth info to be sent with every request, right? |
| 19:30 |
|
|
cigarshark joined #rest |
| 19:33 |
|
trygvis |
mezod: when you're talking SPA you can probably forget about rest. I doubt people care about rest when making apps for the browser |
| 19:33 |
|
trygvis |
and it's not imporant to do rest. actually it's probably harmful for your application |
| 19:33 |
|
Jarda |
I design my frontend applications (spa's) and backends separately |
| 19:33 |
|
trygvis |
lots of complications with little value |
| 19:33 |
|
Jarda |
the upside of that is to get an documentable API for 'free' |
| 19:34 |
|
Jarda |
I use OAuth2 for authentication |
| 19:34 |
|
Jarda |
but I'm not doing pure REST (not using hypermedia) |
| 19:34 |
|
trygvis |
I'm off, dinner time |
| 19:34 |
|
mezod |
trygvis: thanks for your time, good appetit :P |
| 19:35 |
|
mezod |
Jarda: yeah I will try to implement OAuth in the future |
| 19:35 |
|
mezod |
but right now I wanted to make a simple security, so that I can go on with the js app |
| 19:49 |
|
pdurbin |
Jarda: which OAuth2 identity providers (or whatever they're called) do you support? Twitter? Google? Others? Your own? |
| 20:32 |
|
|
_ollie joined #rest |
| 20:41 |
|
|
fragamus joined #rest |
| 20:54 |
|
|
lemur joined #rest |
| 21:19 |
|
|
kevinswiber joined #rest |
| 21:51 |
|
|
azer joined #rest |
| 22:15 |
|
|
fragamus joined #rest |
| 22:52 |
|
|
azer_ joined #rest |
| 23:39 |
|
|
azer_ joined #rest |
