[Pulp-dev] [pulp-dev] Updating the MVP to support a different JWT reset implementation

Bihan Zhang bizhang at redhat.com
Thu Oct 26 00:04:15 UTC 2017

> Currently the jwt reset is accomplished through a write_only
reset_jwt_secret field passed to the */api/v3/users/{username}/* endpoint.
Since this field does not exist on our model it would have to be deleted
before model create/update is called, the fact that it is not is causing
issue #3075 to occur.

On a comment in #3075 [1] I suggested creating a controller URI to mitigate
this problem, but this would go against a MVP use case of

> As an autheticated user, I can invalidate a user's JWTs in the same
> operation as updating the password. [done]
I would like to propose that we remove this MVP use case since the current
implementation (and I believe any implementation that allows jwt resets to
be accomplished at the */api/v3/users/{username}/* URI) tunnels the
endpoint and "uses a single URI to POST to, and varying messages to express
differing intents" [2]

The user could instead make a call to update their password and another
(maybe at */api/v3/users/{username}/jwt* ) to reset their JWT secret.


[0] https://pulp.plan.io/issues/3075
[1] https://pulp.plan.io/issues/3075#note-3
[2] https://www.infoq.com/articles/rest-anti-patterns
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171025/b4b40436/attachment.htm>

More information about the Pulp-dev mailing list