[PATCH 0 of 1 RFC] login-required pragma

Mads Kiilerich mads at kiilerich.com
Thu Mar 19 20:09:26 EDT 2015


On 03/19/2015 09:34 PM, Thomas De Schampheleire wrote:
> Hi,
>
> Issue I'm trying to solve is this: we're implementing a script to
> create a pull request directly from a repo, without using the web
> interface. This script uses an API key to authenticate.
>
> When authentication fails (invalid API key) you still get a valid
> redirection response, but to a login screen rather than to the pullrequest
> page. This makes it difficult for the script to differentiate a success from
> a failure. One would have to search the response body for a certain string,
> which is fragile.
>
> The RFC that I'm sending adds an HTTP pragma header 'login-required' to the
> response, which can be checked by the script in a reliable way.
>
> Let me know what you think of this, and whether you see alternative
> solutions.

So you are creating the web service / API for PR creation you mentioned?

It seems to me like the problem is that you get _any_ redirection all 
from from such a "RPC" call. Missing authentication should just fail. 
(It would perhaps make sense for a successful REST API call to redirect 
to the new resource location but it seems to me like JSON RPC just 
should return the location as a result value.)

We spoke about how much logic should be in the "controller" and how much 
should be in the "model". In this case I would say that the logic for 
login redirection and redirection to the created resource belongs in the 
"web controller" while the actual PR creation logic should live in 
something that is closer to the model ("model controller"?) so you can 
use it from the "api controller".

/Mads


More information about the kallithea-general mailing list