authboss icon indicating copy to clipboard operation
authboss copied to clipboard
verified publisher icon volatiletech

Total compatibility as API endpoint

Open frederikhors opened this issue 5 years ago • 2 comments

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (https://github.com/volatiletech/authboss/issues/210).

I read https://github.com/volatiletech/authboss/issues/234#issuecomment-495244322 but I think this should be in our backlog.

Authboss is amazing and for people like me who are using it as an endpoint for JSON-API requests it's important to handle:

  • https://github.com/volatiletech/authboss/issues/234, incorrect requests return status code 200 in case of a faulty request (like wrong credentials or invalid recovery token). It's extremely important also because Chrome (for example) after the login POST request if the 200 status code is present shows popup for saving password ALSO if username/password are wrong!

  • https://github.com/volatiletech/authboss/issues/248, user can get the message {"status":"success"} on GET calls on /login endpoint

  • https://github.com/volatiletech/authboss/issues/251, handle renderer/redirector logic instead of CorceRedirectTo200 "solution"

frederikhors avatar Feb 01 '20 21:02 frederikhors

It's extremely important also because Chrome (for example) after the login POST request if the 200 status code is present shows popup for saving password ALSO if username/password are wrong!

Ah yea, that's a shame. Though it's not really that important. Why would a user save a username and password that is wrong? And why would they not have the credentials already saved from previously logging in if they use the Chrome password storage?

Anyway - we could potentially change this. We could add a config option to control the failure condition of redirects. We do know if its a failure, but we do not know what kind which is sort of the problem. Perhaps we could change the RedirectOptions struct to enable some more API-like options in V3.

aarondl avatar Feb 10 '20 03:02 aarondl

Though it's not really that important. Why would a user save a username and password that is wrong?

Because the application is used by elderly people or people who have very little predisposition or experience with browsers and the web.

Anyway - we could potentially change this. We could add a config option to control the failure condition of redirects. We do know if its a failure, but we do not know what kind which is sort of the problem. Perhaps we could change the RedirectOptions struct to enable some more API-like options in V3.

Thank you. No hurry. Issue open for backlog.

frederikhors avatar Feb 10 '20 12:02 frederikhors