pontoon icon indicating copy to clipboard operation
pontoon copied to clipboard
verified publisher icon mozilla

API authentication for automated interaction

Open MikkCZ opened this issue 3 years ago • 3 comments

At the end of 2022, Chrome browser will deprecate extensions manifest v2, which will also mean quite limited ability for Pontoon Add-on to communicate with Pontoon server using the session cookie as authorization. As author of Pontoon Add-on, I would like Pontoon to support better authentication mechanism for its API.

There are probably several ways how this could be implemented, so I will just try to list them here. I understand Pontoon does not have coherent API per-se, so it may be an overkill to go for a full-blow separation of the authN and authZ from frontend cookies to some tokens etc. Some easier but less reusable methods I can see:

  • basic/digest auth header (but Pontoon does not always have a way to validate user credentials, e.g. with FxA, right?)
  • session cookie or ID accepted also via another header
  • some form of API client token, which Pontoon Add-on could obtain (understand steal) via automated website interaction, or via the messaging API which is now used for its detection, or the user would need to generate and provide for Pontoon Add-on in a semi-assisted way

MikkCZ avatar Apr 28 '22 14:04 MikkCZ

Beside the options above, I found the identity API, which should provide the option to integrate browser extensions with OAuth2 services. However I have literally zero experience with OAuth2, so right now I cannot tell how hard it would be to implement the necessary bits and pieces on either Pontoon or Pontoon Add-on side to work universally between Pontoon instances.

MikkCZ avatar Apr 28 '22 14:04 MikkCZ

Today I found (and sorry for my negligence), that supposedly Firefox will keep the webRequest API for manifest v3. If that's true, Pontoon Add-on won't need that change, because Firefox will stay compatible and in Chrome the feature is not supported even now.

MikkCZ avatar May 03 '22 15:05 MikkCZ

Thanks for the update. That's good to know.

I'm lowering the priority, but keeping the issue open. Pontoon API still needs to support authentication, which will be beneficial for other use cases and should make Pontoon Add-On authentication more "proper". We discussed this at the last Pontoon call and lean towards the token-based solution (similar to GitHub’s Personal access token).

mathjazz avatar May 03 '22 15:05 mathjazz