New Authentication strategy - query parameter

[zubairov]

Right now we have following authentication methods in REST Client component:

However some APIs, like Pipedrive for example require users to add an API Key to each HTTP request as parameter (in this example api_key)

This is a stupid decision but frequently used by inexperienced PHP developers.

Suggestion

Add a new authentication method - Query parameter that work similar to HTTP Header but just transparently adds a query parameter to each query. Advantage - centralized management of credentials despite the stupid API design.

[jhorbulyk]

Could we make a similar argument for the URL Base?

E.g. Company has test.somesystem.theirurl.com for testing and prod.somesystem.theirurl.com and they want to build their flows with their test system first before changing them to point at their prod system some point in the future.

[drobiazko]

You would need to change your flow anyway as you would need to change the credentials

[drobiazko]

@zubairov wouldn‘t it be better to provide an option to choose how the API key is sent: header or query params. It would be sn additional dropdown for API key auth. Btw this would match how Swagger is doing that

[jhorbulyk]

You would need to change your flow anyway as you would need to change the credentials

Not if you simply modify the credentials object to point to your prod instance.

[drobiazko]

@jhorbulyk This is the best way to screw your systems. Imagine multiple flows using same credential but only a subset of them goes live. Boom!

[zubairov]

@drobiazko tbh I don't have a strong opinion about your suggestion, from the first sight it sounds not logical and relation to Swagger may not be the link people would understand or even be aware of (not all users of REST Client may know what Swagger is). But as said no strong opinion here how to implement it - important is we can implement it fast.

[jhorbulyk]

Closing in favor of https://github.com/elasticio/elasticio/issues/4350