Closed j3k0 closed 8 years ago
I added spoofing with API_SECRET
. One caveat — online list requires email
to be present, not sure what you want done about that, maybe leave current check, but add or user._secret
? I left it as is for now, so there is no way to add user to online list with API_SECRET
.
I've updated some of the libs, specifically those that should not be a problem judgine on changelogs and other modules where we either started or upgraded to newer versions. However, I'm a bit reluctant to switch some of the others, specifically:
Let me know if you'd like me to look into any of those.
there is no way to add user to online list with API_SECRET.
It's alright: very minor (we'll probably never need that).
BTW why would the email be required for onlinelist, just wondering? That's part of a side question: we're discussing the option to allow users to change the email address associated with their account. To accomodate with way "authdb" works so far, we'll need to add a store "{ signupEmail => currentEmail }". Then, we make 2 requests at each authentication (current one to get user info + 1 request to override email with the current email). As far as I remember, the user's email address is mostly never used throughout the app. So I though we might just wipe it out from authdb store altogether? (thus my original question, why is it used by onlinelist)
[...] stuff to upgrade that requires some effort or might be a little risky [...] Let me know if you'd like me to look into any of those.
No, let's keep that aside.
My guess would be that users won't appear "online" when we access their endpoints with API_SECRET
.
auth
tokens