[Pulp-dev] [pulp-dev] Updating the MVP to support a different JWT reset implementation

Jeff Ortel jortel at redhat.com
Thu Oct 26 12:57:43 UTC 2017


On 10/25/2017 07:04 PM, Bihan Zhang wrote:
> Currently the jwt reset is accomplished through a write_only reset_jwt_secret field passed to the
> //api/v3/users/{username}// endpoint. Since this field does not exist on our model it would have to be deleted
> before model create/update is called, the fact that it is not is causing issue #3075 to occur.
> On a comment in #3075 [1] I suggested creating a controller URI to mitigate this problem, but this would go
> against a MVP use case of
>     As an autheticated user, I can invalidate a user's JWTs in the same operation as updating the password. [done]
> I would like to propose that we remove this MVP use case since the current implementation (and I believe any
> implementation that allows jwt resets to be accomplished at the //api/v3/users/{username}// URI) tunnels the
> endpoint and "uses a single URI to POST to, and varying messages to express differing intents" [2]
> The user could instead make a call to update their password and another (maybe
> at //api/v3/users/{username}/jwt/ ) to reset their JWT secret. 
> Thoughts?
> [0] https://pulp.plan.io/issues/3075
> [1] https://pulp.plan.io/issues/3075#note-3
> [2] https://www.infoq.com/articles/rest-anti-patterns
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20171026/5b5adbe0/attachment.sig>

More information about the Pulp-dev mailing list