Closed niccofyren closed 4 years ago
You are correct that the /api/login.php endpoint is the legacy API and should be nuked from orbit.
I had a look through the code and it looks fine, but I had no opportunity to test it out. Anyone else able to give this a shot?
It looks good to me. And for the record, the old /api/login.php is not in use - it's blocked by apache as well, so no harm in nuking it.
Merging.
This PR introduces a "couple" of tweaks to how passwords and login are handled:
password_...
methodswebroot/api/*login.php
files using outdated implementations (is this what we call the "legacy auth api"?Api/Auth
to only accept POST (with JSON) requests (to avoid passing plain text credentials as get parameters)Checklist for getting in prod:
AUTH_COOKIE_KEY
value to prod envApi/Auth
: GET => POST, Url parameters => JSON object, md5(password) => passwordRelates to: https://github.com/gathering/wannabe/issues/9 Relates to: https://github.com/gathering/wannabe/issues/8 (Maybe 🤷♂)