Open cypreess opened 5 years ago
Rationale is reasonable but I'm contemplating security implications of such implementation. I know I'm not the one to judge potential misuse but I'm tempted to implement it in such a way that the token would be invalidated on an attempt to use this method over unsecured channel :smile:
It would be great if an additional scheme of Token auth would be possible.
Instead of asking for filling out specific HTTP Header (Authorization: Token xxxx) the token could be pass as a user in the link:
https://xxxx@myserver/myendpoint/
Rationale: this simplifies a lot writing service-oriented applications. Access to external service API can be then exposed as a single link only, rather two parameters, a link and a token that have to be specially taken into consideration when creating an HTTP request.