[Pulp-dev] [pulp-dev] Updating the MVP to support a different JWT reset implementation
Jeff Ortel
jortel at redhat.com
Thu Oct 26 12:57:43 UTC 2017
+1
On 10/25/2017 07:04 PM, Bihan Zhang wrote:
> Currently the jwt reset is accomplished through a write_only reset_jwt_secret field passed to the
> //api/v3/users/{username}// endpoint. Since this field does not exist on our model it would have to be deleted
> before model create/update is called, the fact that it is not is causing issue #3075 to occur.
>
>
> On a comment in #3075 [1] I suggested creating a controller URI to mitigate this problem, but this would go
> against a MVP use case of
>
> As an autheticated user, I can invalidate a user's JWTs in the same operation as updating the password. [done]
>
> I would like to propose that we remove this MVP use case since the current implementation (and I believe any
> implementation that allows jwt resets to be accomplished at the //api/v3/users/{username}// URI) tunnels the
> endpoint and "uses a single URI to POST to, and varying messages to express differing intents" [2]
>
> The user could instead make a call to update their password and another (maybe
> at //api/v3/users/{username}/jwt/ ) to reset their JWT secret.
>
> Thoughts?
>
> [0] https://pulp.plan.io/issues/3075
> [1] https://pulp.plan.io/issues/3075#note-3
> [2] https://www.infoq.com/articles/rest-anti-patterns
>
>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171026/5b5adbe0/attachment.sig>
More information about the Pulp-dev
mailing list