Comments (7)
meejah
commented on June 28, 2024
Could _VoucherCollection merely inherit from allmydata.web.common.TokenOnlyWebApi ...? (The latter would have to be upgraded to allow PUT as well as the current POST)
from zkapauthorizer.
meejah
commented on June 28, 2024
Oh, hrmmm ... I see _VoucherCollection also includes render_GET. The tokens are not allowed as query-style arguments currently, based on warner's argument that "URIs tend to leak" and we should never put the token itself into "not a request body". PUT can have a request body, though, correct?
from zkapauthorizer.
meejah
commented on June 28, 2024
ahh, but the PUT for that as currently specified contains only a JSON body. So, maybe literally subclassing that is indeed a bad idea ... but something will have to change anyway to get the tokens to the server (and I agree with warner that putting them in the URL is probably a bad idea .. so maybe "get the list of all vouchers" can't / shouldn't be a GET)...
from zkapauthorizer.
exarkun
commented on June 28, 2024
Maybe this is the reason HTTP has the Authorization header and is more reason to nudge Tahoe-LAFS in that directory? Authorization is compatible with GET and also doesn't leak the information into a URL.
Twisted Web also has first-class support for Authorization header-based authorization (in twisted.web.guard).
from zkapauthorizer.
exarkun
commented on June 28, 2024
(though twisted.web.guard isn't always trivial to use so it might be better to hack something in to one of the existing parent resources instead :/ and then follow-up with a more maintainable implementation later.)
from zkapauthorizer.
meejah
commented on June 28, 2024
Ah, yeah Authorization: <token> sounds like a better solution all-around -- especially since it would support any HTTP-verbs we want and not put weird requirements on the body of those requests. (now that it has been said, I don't know why it didn't come up before ;).
The existing "token" stuff in Tahoe's Web-API was regarded as a "trial" for how to do a complete "version 2" API .. by which I mean, I don't think it would be at all controversial to switch to that. It's not a "public" API, and the only thing using it is the "tahoe status" CLI piece.
Not sure how keen I'd personally be on t.w.guard, mostly based on long-ago memories of it "being hard" ... but also maybe a fresh look would change my mind ;)
from zkapauthorizer.
meejah
commented on June 28, 2024
Looking in Tahoe code again/some more there's already a /private hierarchy which uses Authorization: tahoe-lafs <token> which makes everything under /private only accessible if you pass the web-api token in...
from zkapauthorizer.
Related Issues (20)
- There is no way to retry a recovery attempt if downloading the replica fails
- /recover endpoint should be synchronous HOT 6
- StatefulRecoverer doesn't report enough error context
- Download and apply appropriate event stream objects during recovery
- Method for getting `recovery-capability` is missing
- Some tests in `test_client_resource.py` run asynchronous operations without waiting for them to complete
- Pass `mypy --strict` without `cast`, `type: ignore`, or features disabled in the configuration file
- Use APIs from tahoe-capabilities instead of `str` and APIs from Tahoe-LAFS for work on capabilities
- Have automated end-to-end testing of the replication/recovery system HOT 1
- Storage-time not fully redeeming to ~50GBs-months on a new voucher HOT 4
- RuntimeWarning: coroutine 'ZKAPAuthorizerStorageClient.slot_readv' was never awaited
- Some Eliot logging handles coroutines incorrectly
- There's no logging of activity around the recovery system
- UNIQUE constraint failed: unblinded-tokens.token HOT 2
- tahoe-lafs 1.18.0 HOT 1
- CLI tool to facilitate populating ZKAPs
- unit-test failure on main
- The coverage collection/reporting job is failing on CI
- PriceCalculator is incorrect
- Bump the Tahoe-LAFS "dev" input
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zkapauthorizer.