Love it. I had the thought at some point that it might make sense to bundle the password reset operation with an optional token invalidation, and maybe that's how we ended up with this MVP language. In any case, this is a very good fit for a controller endpoint. We do not want the user to provide the new state. We don't even necessarily want the user to know or care that there is a jwt secret stored somewhere. The user just wants to request an action, which is to invalidate any existing tokens.
On Wed, Oct 25, 2017 at 8:04 PM, Bihan Zhang <[email protected]> wrote: > Currently the jwt reset is accomplished through a write_only > reset_jwt_secret field passed to the */api/v3/users/{username}/* > endpoint. Since this field does not exist on our model it would have to be > deleted before model create/update is called, the fact that it is not is > causing issue #3075 to occur. > > > On a comment in #3075 [1] I suggested creating a controller URI to > mitigate this problem, but this would go against a MVP use case of > >> As an autheticated user, I can invalidate a user's JWTs in the same >> operation as updating the password. [done] >> > I would like to propose that we remove this MVP use case since the current > implementation (and I believe any implementation that allows jwt resets to > be accomplished at the */api/v3/users/{username}/* URI) tunnels the > endpoint and "uses a single URI to POST to, and varying messages to express > differing intents" [2] > > The user could instead make a call to update their password and another > (maybe at */api/v3/users/{username}/jwt* ) to reset their JWT secret. > > Thoughts? > > [0] https://pulp.plan.io/issues/3075 > [1] https://pulp.plan.io/issues/3075#note-3 > [2] https://www.infoq.com/articles/rest-anti-patterns > > _______________________________________________ > Pulp-dev mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-dev > > -- Michael Hrivnak Principal Software Engineer, RHCE Red Hat
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
