[PATCH 0 of 1 RFC] login-required pragma
Mads Kiilerich
mads at kiilerich.com
Mon Mar 23 15:36:42 EDT 2015
On 03/22/2015 02:34 PM, Thomas De Schampheleire wrote:
> Hi Mads,
>
> On Fri, Mar 20, 2015 at 1:09 AM, Mads Kiilerich <mads at kiilerich.com> wrote:
>> On 03/19/2015 09:34 PM, Thomas De Schampheleire wrote:
>>> Hi,
>>>
>>> Issue I'm trying to solve is this: we're implementing a script to
>>> create a pull request directly from a repo, without using the web
>>> interface. This script uses an API key to authenticate.
>>>
>>> When authentication fails (invalid API key) you still get a valid
>>> redirection response, but to a login screen rather than to the pullrequest
>>> page. This makes it difficult for the script to differentiate a success
>>> from
>>> a failure. One would have to search the response body for a certain
>>> string,
>>> which is fragile.
>>>
>>> The RFC that I'm sending adds an HTTP pragma header 'login-required' to
>>> the
>>> response, which can be checked by the script in a reliable way.
>>>
>>> Let me know what you think of this, and whether you see alternative
>>> solutions.
>>
>> So you are creating the web service / API for PR creation you mentioned?
> Yes indeed. However, it turned out to be much more easy: just adding
> the 'PullRequestController:create' method in the API whitelist is
> enough. I don't need any further adaptation, so I did not use a
> regular API.
>
> This login-required pragma could solve my problem, but meanwhile I
> think a better approach is to simply check the redirection URL: if it
> contains 'login' then authentication failed. This simpler solution
> does not require changes in Kallithea and is fine for me. So this
> patch can be rejected.
How about this: When accessing through API, don't redirect to login on
missing authentication; just fail.
/Mads
More information about the kallithea-general
mailing list