+1
On 10/25/2017 07:04 PM, Bihan Zhang wrote:
> Currently the jwt reset is accomplished through a write_only reset_jwt_secret
> field passed to the
> //api/v3/users/{username}// endpoint. Since this field does not exist on our
> model it would have to be deleted
> before model create/update is called, the fact that it is not is causing
> issue #3075 to occur.
>
>
> On a comment in #3075 [1] I suggested creating a controller URI to mitigate
> this problem, but this would go
> against a MVP use case of
>
> As an autheticated user, I can invalidate a user's JWTs in the same
> operation as updating the password. [done]
>
> I would like to propose that we remove this MVP use case since the current
> implementation (and I believe any
> implementation that allows jwt resets to be accomplished at the
> //api/v3/users/{username}// URI) tunnels the
> endpoint and "uses a single URI to POST to, and varying messages to express
> differing intents" [2]
>
> The user could instead make a call to update their password and another (maybe
> at //api/v3/users/{username}/jwt/ ) to reset their JWT secret.
>
> Thoughts?
>
> [0] https://pulp.plan.io/issues/3075
> [1] https://pulp.plan.io/issues/3075#note-3
> [2] https://www.infoq.com/articles/rest-anti-patterns
>
>
> _______________________________________________
> Pulp-dev mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/pulp-dev
> 
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-dev mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-dev
