Open that1guy opened 9 years ago
My thinking here was to not add any form of authentication into the API just yet. My gut tells me that our best bet is to start with a bi-directional x509 cert to secure communication between the UI and the API and have the UI manage the appropriate permissions and state for now (i.e. make the API kinda dumb for the time being).
Over time, I think we want to replace this with OAuth... but getting that up and running in the very near term will be challenging (it's not exactly hard, but could take a couple weeks to get it right).
Understood
On Thursday, February 12, 2015, Joshua Thomas notifications@github.com wrote:
My thinking here was to not add any form of authentication into the API just yet. My gut tells me that our best bet is to start with a bi-directional x509 cert to secure communication between the UI and the API and have the UI manage the appropriate permissions and state for now (i.e. make the API kinda dumb for the time being).
Over time, I think we want to replace this with OAuth... but getting that up and running in the very near term will be challenging (it's not exactly hard, but could take a couple weeks to get it right).
— Reply to this email directly or view it on GitHub https://github.com/HashtagSell/posting-api/issues/6#issuecomment-74077342 .
perhaps we can link into this user API after Aug 15th launch.
Documentation mentions htsApp should pass the poster's username in the payload. i.e.
For security purposes should the posting-API validate the user's session cookie and lookup the username on server-side? OR return 'please sign in' if user is logged out?
My original posting API looked like: