Comments (9)
franzliedke
commented on July 24, 2024
How about applying the whitelist principle to API security? Basically disallowing all access by default, so that actions have to be made accessible explicitly based on permissions.
from framework.
tobyzerner
commented on July 24, 2024
Sounds good to me. I think we'll implement a basic version of the OAuth2 spec, similar to what Ghost have planned. I'll see if I can draft our own detailed plan next week.
from framework.
SharpMan
commented on July 24, 2024
Saml for having authentification too
from framework.
tobyzerner
commented on July 24, 2024
We will also need to implement some form of API throttling
from framework.
rodrigoargumedo
commented on July 24, 2024
Rate-limiting would be best to handle this case. Similar to GitHub API via command line tells how many requests you have left for one minute or two.
How about: If a user does HTTP GET or POST request for a forum thread for one minute via curl and flash the message saying: You have $(api.rate_limit) request left. When exceeded, prompt them to login to expand their rate-limit.
Is this a good approach? I feel this is a great idea but it can be quite a pain and insubstantial if not implemented properly.
from framework.
franzliedke
commented on July 24, 2024
I'm thinking that should all be part of a separate extension, which could be called public-api. That would then take care of handling rate limits as well as exposing the API to the public (by sending the appropriate Access-Control headers).
from framework.
rodrigoargumedo
commented on July 24, 2024
Yeah, that makes a lot of sense. Doing its API in separate repository as a extension would be wonderful to implement on.
from framework.
tobyzerner
commented on July 24, 2024
Sounds good. In any case, we need to implement the whitelisting security for beta. How do we go about doing that?
from framework.
tobyzerner
commented on July 24, 2024
Thinking about this some more, I'm not sure if there's anything we actually need to do.
The parts requiring authentication are already locked down, as they're inaccessible without an API token (which requires a username/password). But the public endpoints, like http://discuss.flarum.org/api/discussions, need to be accessible without a token so that guests can view the forum. And there's no way to limit their access to just Flarum's web client, because the web client can't keep a secret.
I guess there's nothing really wrong with this anyway. It just makes data mining slightly easier :)
Going to close this now. We can revisit OAuth/public-api later.
from framework.
Related Issues (20)
- DispatchEventsTrait causes error when event does not have "actor" attribute due to PHP 8.2 deprecation HOT 4
- Setting permissions on mobile does not display correctly on mobile
- PostRepository::getIndexForNumber() walks 2 time the posts table to get offset HOT 6
- Code blocks are hard to read in dark mode HOT 2
- [1.x] `Conditional` extender instantiates the extenders array even when the conditional is false
- Support Invokable Classes in Console Extender's schedule method
- Akismet False Positives Triggered by Flag Removal
- Content max limit is incorrect HOT 2
- [2.x] `LogoutController` permits open redirects
- Height of Modals on Mobile Inconsistent
- fttb slow response time
- Invisible buttons when making primary color #ffffff
- Admin page's Save button won't reset if an error occurs HOT 1
- JSON:API Layer Refactor HOT 3
- Cryptograhpically Sign releases HOT 9
- [Pusher] New notifications count increment doesnt work
- SEO meta description doesn't take from site settings
- Advanced Maintenance HOT 1
- API Client breaks the forum if used in environment like Swoole and with extension that need some values from server params HOT 1
- Reading $post->content in saving listener throws error if content is empty
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from framework.