[Pulp-dev] [pulp-dev] Updating the MVP to support a different JWT reset implementation

Michael Hrivnak mhrivnak at redhat.com
Thu Oct 26 01:13:46 UTC 2017

Love it. I had the thought at some point that it might make sense to bundle
the password reset operation with an optional token invalidation, and maybe
that's how we ended up with this MVP language. In any case, this is a very
good fit for a controller endpoint. We do not want the user to provide the
new state. We don't even necessarily want the user to know or care that
there is a jwt secret stored somewhere. The user just wants to request an
action, which is to invalidate any existing tokens.

On Wed, Oct 25, 2017 at 8:04 PM, Bihan Zhang <bizhang at redhat.com> wrote:

> Currently the jwt reset is accomplished through a write_only
> reset_jwt_secret field passed to the */api/v3/users/{username}/*
> endpoint. Since this field does not exist on our model it would have to be
> deleted before model create/update is called, the fact that it is not is
> causing issue #3075 to occur.
> On a comment in #3075 [1] I suggested creating a controller URI to
> mitigate this problem, but this would go against a MVP use case of
>> As an autheticated user, I can invalidate a user's JWTs in the same
>> operation as updating the password. [done]
> I would like to propose that we remove this MVP use case since the current
> implementation (and I believe any implementation that allows jwt resets to
> be accomplished at the */api/v3/users/{username}/* URI) tunnels the
> endpoint and "uses a single URI to POST to, and varying messages to express
> differing intents" [2]
> The user could instead make a call to update their password and another
> (maybe at */api/v3/users/{username}/jwt* ) to reset their JWT secret.
> Thoughts?
> [0] https://pulp.plan.io/issues/3075
> [1] https://pulp.plan.io/issues/3075#note-3
> [2] https://www.infoq.com/articles/rest-anti-patterns
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev


Michael Hrivnak

Principal Software Engineer, RHCE

Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171025/225468ec/attachment.htm>

More information about the Pulp-dev mailing list