greptilian logo

IRC log for #rest, 2015-01-10

https://trygvis.io/rest-wiki/

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
01:25 tr3onlin_ joined #rest
02:40 MLMitch joined #rest
02:42 proteusguy joined #rest
02:43 tr3online joined #rest
02:45 blahdeblah_ joined #rest
02:54 blahdeblah joined #rest
02:54 blahdeblah joined #rest
03:00 fsvehla joined #rest
03:13 tr3online joined #rest
03:55 tr3onlin_ joined #rest
04:33 lemur joined #rest
05:24 MLMitch joined #rest
05:35 tr3online joined #rest
06:25 fsvehla joined #rest
08:12 lemur joined #rest
08:33 DrCode joined #rest
08:34 MLMitch joined #rest
09:33 mezod joined #rest
09:49 blahdeblah joined #rest
09:49 blahdeblah joined #rest
10:02 blahdeblah joined #rest
10:02 blahdeblah joined #rest
10:13 graste joined #rest
10:23 tr3online joined #rest
10:25 azer_ joined #rest
10:27 blahdeblah joined #rest
10:36 tr3online joined #rest
10:45 rue joined #rest
11:21 azer_ joined #rest
11:45 adaro joined #rest
11:45 adaro la
12:47 Left_Turn joined #rest
13:46 Left_Turn joined #rest
14:39 MLMitch joined #rest
15:02 azer_ joined #rest
15:48 mezod in case someone feels like answering: http://stackoverflow.com/questions/27876306/user-registration-authentication-flow-on-a-rest-api
15:57 _ollie left #rest
16:05 azer_ joined #rest
16:16 fragamus joined #rest
17:05 azer_ joined #rest
17:44 pdurbin mezod: nice write up! I hope StackOverflow ends up being a good place to discuss this.
17:44 mezod thanks pdurbin :)
17:44 mezod yeah, seems to be a lot of disagreement
17:45 mezod read at least 30 related questions and everyone has a different answer
17:50 pdurbin I was hoping there would be a Discourse installation that would be on suitable for this topic but I couldn't find one at http://meta.discourse.org/t/please-visit-our-discourse-forum-directory/3102 . StackOverflow is best for short questions.
17:58 mezod oh, had never heard of discourse
18:06 pdurbin Discourse is by one of the founders of StackOverflow/StackExchange. In annoucing Discourse, he said, "At Stack Exchange, one of the tricky things we learned about Q&A is that if your goal is to have an excellent signal to noise ratio, you must suppress discussion." http://blog.codinghorror.com/civilized-discourse-construction-kit/
18:06 azer_ joined #rest
18:07 pdurbin but sometimes discussion is exactly what you need, which is why I like this channel :)
18:10 trygvis mezod: I've tried to read your post several times, but I just get confused
18:11 trygvis I think you would make life much easier for yourself if you don't mix the API and the endpoints for the SPA
18:11 trygvis they look the same, but they never end up being the same
18:12 trygvis and the whole token/user thing is just strange to me
18:20 pdurbin the token is like GitHub's "personal API access tokens", right? makes sense to me
18:22 trygvis a token at github implies that everyting else is set up, the user exist, it has a password and its email has been validated
18:22 trygvis I just find the whole premise strange
18:23 trygvis as I said yesterday, I would separate between the API and the SPA. for the SPA I would just use a normal http cookie-based session
18:27 pdurbin I understand the desired end state. That a user who just signed up for the service has his API token in his hand. The question is if you can get to that end state entirely through an API. And email validation adds an extra wrinkle.
18:29 azer_ joined #rest
18:30 trygvis that in itself is easy. it's just like the rest bucks example
18:31 mezod trygvis: I'm confused myself too :P
18:31 mezod maybe that's the root of the problem
18:32 trygvis it probably doesn't help :)
18:33 mezod the token (for now) is just a random string attached to a user id, that my API uses to authenticate each request
18:33 mezod it's basically like if I were using basic auth, but without sending the user/pass in every request
18:34 trygvis but yet you talk about having token before you have a user
18:34 mezod in the future i'd like to make this token expire at some point but that's not the case
18:34 trygvis why do you need this signup thing in there?
18:34 mezod no, where do I say that?
18:34 mezod hmm
18:34 mezod ok here's how I understand it
18:34 mezod a user wants to use the app
18:35 mezod fills the register form, this sends a POST /users request with username, email and password. The API captures the fields and creates a new User. Additionally, the API creates a new token for the user.
18:36 mezod Now, for the user to be able to immediately start using the app, he needs that token, so from my POV, the API should return the token as Response of that POST /users.
18:36 mezod But as the token is not from the User model, this would be breaking REST rules.
18:37 trygvis do you want to have multiple tokens for a single user?
18:37 mezod in the future, or a signin, the user just sends user/pw and gets the token in return
18:38 mezod trygvis: at the moment no, but I wanted to separe the logic of the tokens from the user
18:40 trygvis I think you should create a separate bootstrap application to create the initial token for a user
18:40 trygvis "application" as in the thesis
18:41 mezod you mean a different backend?
18:41 trygvis no, not at all
18:41 trygvis wait, trying to find a reference
18:42 mezod sorry I don't understand what do you mean by "separate bootstrap application"
18:42 trygvis yeah, I realize
18:44 trygvis an application in a rest context is a set of interactions between a client and a server
18:44 _ollie joined #rest
18:44 trygvis where a server is just a bunch of resources. not a hardware box or single application on a machine
18:44 trygvis it's like a use case in traditonal UML modelling
18:45 trygvis so "create user and make a first token" is an appliation. "create and publish article" might be another application
18:45 mezod aha
18:46 mezod you mean the token shouldn't be created at POST /users, but at POST /tokens for example
18:46 mezod so a register form, should execute both requests somehow?
18:46 trygvis nah, a completely different place
18:47 trygvis I'd require all other endpoints other than this first initial endpoint to have a valid token
18:47 mezod trygvis: yes that's exaclty what I have at the moment
18:47 trygvis so you can post a form that is known out of bounds to /bootstrap, and after that you can follow any links from the resulting interacting
18:47 trygvis interaction
18:49 mezod hmm
18:52 mezod you are referring to the case when a request that requires authentication is made without sending the necessary auth right?
18:57 lemur joined #rest
18:58 trygvis hm, in which case?
18:59 fragamus joined #rest
19:00 trygvis I'm a bit afk, making dinner
19:04 mezod i dont know, i am rather confused by your last sentence, what does that have to do with user registration and token retrieval? :p
19:13 trygvis I think you can forget it :)
19:14 mezod hehe, i am not sure if I am trying to do something special, I'll need to just try to contact how did they do it in any other SPA!
19:16 trygvis I still don't think any applications would make something as complicated as you are
19:17 mezod i thought i was doing the simple version :p
19:17 mezod everyone talks about oauth
19:17 mezod you think they just sned basic auth with every request?
19:19 pdurbin mezod: a token like you're doing seems more simple that oauth, I agree
19:19 pdurbin than*
19:20 mezod but? :P
19:20 trygvis for browser, a classic browser cookie is the shit
19:20 trygvis browsers
19:21 mezod people uses cookies with api rest?
19:22 mezod because for me cookies represent the opposite idea of rest :S
19:23 Jarda well if the cookie is only used as an access token, then it does not differ much from Authorization-header, IMO
19:24 mezod exactly
19:25 mezod i'll read more on cookies though, I am not quite sure of how they work anymore
19:28 mezod trygvis: if I understand correctly, you mean using cookies to store the basic auth info to be sent with every request, right?
19:30 cigarshark joined #rest
19:33 trygvis mezod: when you're talking SPA you can probably forget about rest. I doubt people care about rest when making apps for the browser
19:33 trygvis and it's not imporant to do rest. actually it's probably harmful for your application
19:33 Jarda I design my frontend applications (spa's) and backends separately
19:33 trygvis lots of complications with little value
19:33 Jarda the upside of that is to get an documentable API for 'free'
19:34 Jarda I use OAuth2 for authentication
19:34 Jarda but I'm not doing pure REST (not using hypermedia)
19:34 trygvis I'm off, dinner time
19:34 mezod trygvis: thanks for your time, good appetit :P
19:35 mezod Jarda: yeah I will try to implement OAuth in the future
19:35 mezod but right now I wanted to make a simple security, so that I can go on with the js app
19:49 pdurbin Jarda: which OAuth2 identity providers (or whatever they're called) do you support? Twitter? Google? Others? Your own?
20:32 _ollie joined #rest
20:41 fragamus joined #rest
20:54 lemur joined #rest
21:19 kevinswiber joined #rest
21:51 azer joined #rest
22:15 fragamus joined #rest
22:52 azer_ joined #rest
23:39 azer_ joined #rest

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

https://trygvis.io/rest-wiki/