by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    pogobanane
    @pogobanane
    oh
    Marcel Klehr
    @marcelklehr
    you could do a feature detection request as I do for certain things in the adapter, e.g. for hashes or for the full children endpoint
    /folder/:id/children was introduced in bookmarks v3, for example
    if you try to fetch that in onSyncStart you can detect the bookmarks version
    pogobanane
    @pogobanane
    could do yes
    Marcel Klehr
    @marcelklehr
    it might be even better to actually test the feature you want to use, i.e. the cookie behavior, but I'm not sure how that would be possible
    the benefit of doing detection onSyncStart is that you get the benefit of your hack for all endpoints, not just the 'new' ones ;)
    but I still have to figure out how to avoid CSRF with my changes to the API...
    pogobanane
    @pogobanane
    i don't know how your plan for auth looks like. And what the use cases of those public access tokens would be you were talking about.
    Marcel Klehr
    @marcelklehr
    The current problem I'm facing is that the public API is vulnerable to Cross site request forgery, because people can trick you into clicking an API link, having you authenticated by your cookies and having the API execute the request without your intention.
    This is the very functionality that allows your hack to work, unfortunately
    so the possible solutions are:
    • go back to nc-handled auth
      • no cookie-hack
      • no public tokens
    • disable nc-handled cookie auth / session-auth on bookmarks master
      • no cookie-hack
      • public tokens still possible
    • roll own cookie auth with csrf
      • insane and error-prone
    What you could explore without me interfering is to try to use the internal APi instead of the public facing API
    Marcel Klehr
    @marcelklehr
    i.e. instead of /apps/bookmarks/public/rest/v2/{endpoint} point requests at /apps/bookmarks/{endpoint}
    pogobanane
    @pogobanane

    What you could explore without me interfering is to try to use the internal APi instead of the public facing API

    because this is not under contruction right now?

    Marcel Klehr
    @marcelklehr
    yep
    pogobanane
    @pogobanane
    i see
    Marcel Klehr
    @marcelklehr
    and because I think, given the CSRF issues it's unlikely for the cookie-hack to work with the public API
    I'm not sure if/how you can access the internal API from different domains, though
    and you'll definitely need to implement CSRF
    i.e. send the CSRF-token received from the last response for the next request
    Marcel Klehr
    @marcelklehr
    if need be, we can add a @CORS annotation to those internal routes, I'm not sure if that's necessary
    pogobanane
    @pogobanane
    As i understand, auth options on bookmarks/master are:
    1. public token; transmitted in url; for sharing bookmarks with the public
    2. basic Authorization header; big overhead because we log in & passwordVerify for every request; has CSRF issues right now
    3. ? bearer Authorization header
    pogobanane
    @pogobanane
    options for fixing CSRF for 2.:
    • disable cookie auth and require login for every request
    • implement CSRF tokens and require login for every request
    • go insane, implement csrf tokens in cookie-hack and bookmarks while still allowing session cookie auth
    Marcel Klehr
    @marcelklehr

    implement CSRF tokens and require login for every request

    CSRF tokens are only necessary when cookie auth is possible

    ? bearer Authorization header

    the bearer auth option is an alternative for passing the public token

    it is worth noting, though that the bookmarks app has two APIs
    an internal one and an external one
    pogobanane
    @pogobanane
    ah ok
    Marcel Klehr
    @marcelklehr
    the external one is where I'm running my own auth
    the internal API was only intended for the bookmarks UI, i.e. it assumes you have valid session cookies and a CSRF token -- I'm not sure if it even allows basic auth, but it might
    so, in order to still make use of the cookie hack, we could try to use the internal API instead
    instead of /apps/bookmarks/public/rest/v2/{endpoint} point requests at /apps/bookmarks/{endpoint} and send session cookies and CSRF-token
    pogobanane
    @pogobanane
    ah now i finally understand
    Marcel Klehr
    @marcelklehr
    :)
    the endpoints are essentially the same just the auth part is different
    pogobanane
    @pogobanane
    :thumbsup:
    Marcel Klehr
    @marcelklehr
    pogobanane
    @pogobanane
    cool. Do you have an opinion about it yet?
    Marcel Klehr
    @marcelklehr
    I think I'll replace travis with github,
    much more beautiful
    plus, I don't need saucelabs anymore which was very slow and error-prone
    dockerized selenium ftw
    pogobanane
    @pogobanane

    much more beautiful

    agreed

    :D
    Marcel Klehr
    @marcelklehr
    I recently read about it, yeah. Would be nice to implement it in floccus. see marcelklehr/floccus#297
    I doubt that will improve performance, though
    as that flow is just a nicer way to get an app password
    Marcel Klehr
    @marcelklehr
    still it's nice for people using 2FA