enhance(api): OAuth bearer token authentication #9021
Conversation
Properly document GET API endpoints. Added Bearer token authentication.
Johann150
added
🧩API
| @@ -43,7 +43,8 @@ export default (endpoint: IEndpoint, ctx: Koa.Context) => new Promise<void>((res | |||
| }; | |||
|
|
|||
| // Authentication | |||
| authenticate(body['i']).then(([user, app]) => { | |||
| // for GET requests, do not even pass on the body parameter as it is considered unsafe | |||
| authenticate(ctx.headers.authorization, ctx.method === 'GET' ? null : body['i']).then(([user, app]) => { | |||
| // API invoking | |||
| call(endpoint.name, user, app, body, ctx).then((res: any) => { | |||
| if (ctx.method === 'GET' && endpoint.meta.cacheSec && !body['i'] && !user) { | |||
There was a problem hiding this comment.
appがGETでBearer認証した時にキャッシュしないために
&& !ctx.headers.authorization && !app とかが必要?
There was a problem hiding this comment.
From my understanding, requests that have an Authorization field are not cacheable. See also RFC 7234 § 3.2 and RFC 7235 § 4.2.
There was a problem hiding this comment.
通常キャッシュはしないのはわかるけど、あえてキャッシュ可能とサーバーから返しちゃうのは違う感だわ
There was a problem hiding this comment.
まあ、本来ここで考慮しといた方が良かった問題ではあるけどだわ
58e83f8
There was a problem hiding this comment.
現状の実装は間違っていないし今の実装を否定するつもりもないけど、
不適切な実装や、不適切なユーザーでの挙動の上書き をある程度考慮してあげた方が親切と思うのだわ。
There was a problem hiding this comment.
I found additional specs.
From my understanding, requests that have an Authorization field are not cacheable. See also RFC 7234 § 3.2 and RFC 7235 § 4.2.
This behavior seems to be overridden by the Cache-Control: public directive.
https://datatracker.ietf.org/doc/html/rfc7234#section-3
https://datatracker.ietf.org/doc/html/rfc7234#section-5.2.2.5
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#directives
public
:
Responses for requests with Authorization header fields must not be stored in a shared cache;
however, the public directive will cause such responses to be stored in a shared cache.
So, it seems that if you use the Authorization header, you should not make it public.
There was a problem hiding this comment.
Yes, but this was already the case. (Of course I cannot say if it is still the case.)
For example here, the code first checks that there is no authenticated users before setting public:
misskey/packages/backend/src/server/api/ApiCallService.ts
Lines 73 to 75 in 75888a5
I think even the check !body?.['i'] is not really necessary too? Because if the token is valid, the check for !user will be equivalent, and if it is not valid, it will always be an error.
There was a problem hiding this comment.
Yes, user always exists on successful authentication (even with appToken authentication). So I think you should be fine without !body?.['i'].
|
There are many merge conflicts and I do not have time or motivation to refactor to the new code layout. |
What
i.Why
Towards implementing OAuth 2.0 (#8262), but does not solve the issue yet.
Additional info
Using both authentication methods at the same time is not allowed: