From 545706e17aa7f9fbd804789a0e71c25b92b484f7 Mon Sep 17 00:00:00 2001 From: Devin Howard Date: Sun, 12 Feb 2017 09:54:54 -0800 Subject: [PATCH] disable cookie based auth on the API - mostly (#1070) --- doc/api/api.raml | 2 +- doc/api/apis/mappings.raml | 4 ++-- doc/api/apis/maps.raml | 4 ++-- doc/api/apis/metacodes.raml | 4 ++-- doc/api/apis/synapses.raml | 4 ++-- doc/api/apis/tokens.raml | 3 +++ doc/api/apis/topics.raml | 4 ++-- doc/api/apis/users.raml | 4 ++-- doc/api/pages/cookie_tutorial.md | 3 --- doc/api/pages/getting-started.md | 2 +- doc/api/pages/token_tutorial.md | 17 +++++++++-------- doc/api/securitySchemes/cookie.raml | 3 +-- 12 files changed, 27 insertions(+), 27 deletions(-) delete mode 100644 doc/api/pages/cookie_tutorial.md diff --git a/doc/api/api.raml b/doc/api/api.raml index 45969271..d051b099 100644 --- a/doc/api/api.raml +++ b/doc/api/api.raml @@ -13,7 +13,7 @@ securitySchemes: cookie: !include securitySchemes/cookie.raml token: !include securitySchemes/token.raml oauth_2_0: !include securitySchemes/oauth_2_0.raml -securedBy: [ token, oauth_2_0, cookie ] +securedBy: [ token, oauth_2_0 ] traits: pageable: !include traits/pageable.raml diff --git a/doc/api/apis/mappings.raml b/doc/api/apis/mappings.raml index af4965cb..35d9353d 100644 --- a/doc/api/apis/mappings.raml +++ b/doc/api/apis/mappings.raml @@ -1,7 +1,7 @@ #type: collection get: is: [ embeddable: { embedFields: "user,updated_by,map" }, orderable, pageable ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: @@ -32,7 +32,7 @@ post: #type: item get: is: [ embeddable: { embedFields: "user,updated_by,map" } ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: diff --git a/doc/api/apis/maps.raml b/doc/api/apis/maps.raml index fe9fed67..b147bd80 100644 --- a/doc/api/apis/maps.raml +++ b/doc/api/apis/maps.raml @@ -1,7 +1,7 @@ #type: collection get: is: [ searchable: { searchFields: "name, desc" }, embeddable: { embedFields: "user,source,topics,synapses,mappings,contributors,collaborators" }, orderable, pageable ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] queryParameters: user_id: description: | @@ -40,7 +40,7 @@ post: #type: item get: is: [ embeddable: { embedFields: "user,source,topics,synapses,mappings,contributors,collaborators" } ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: diff --git a/doc/api/apis/metacodes.raml b/doc/api/apis/metacodes.raml index b2a48eeb..5e35d68f 100644 --- a/doc/api/apis/metacodes.raml +++ b/doc/api/apis/metacodes.raml @@ -1,7 +1,7 @@ #type: collection get: is: [ searchable: { searchFields: "name" }, orderable, pageable ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: @@ -9,7 +9,7 @@ get: example: !include ../examples/metacodes.json /{id}: #type: item - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] get: responses: 200: diff --git a/doc/api/apis/synapses.raml b/doc/api/apis/synapses.raml index c9b37e9f..181d60f9 100644 --- a/doc/api/apis/synapses.raml +++ b/doc/api/apis/synapses.raml @@ -1,7 +1,7 @@ #type: collection get: is: [ searchable: { searchFields: "desc" }, embeddable: { embedFields: "topic1,topic2,user" }, orderable, pageable ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: @@ -34,7 +34,7 @@ post: #type: item get: is: [ embeddable: { embedFields: "topic1,topic2,user" } ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: diff --git a/doc/api/apis/tokens.raml b/doc/api/apis/tokens.raml index 5d4eb191..b827acd3 100644 --- a/doc/api/apis/tokens.raml +++ b/doc/api/apis/tokens.raml @@ -3,12 +3,14 @@ get: description: | A list of the current user's tokens. is: [ searchable: { searchFields: description }, pageable, orderable ] + securedBy: [ token, oauth_2_0, cookie ] responses: 200: body: application/json: example: !include ../examples/tokens.json post: + securedBy: [ token, oauth_2_0, cookie ] body: application/json: properties: @@ -22,6 +24,7 @@ post: example: !include ../examples/token.json /{id}: #type: item + securedBy: [ token, oauth_2_0, cookie ] delete: responses: 204: diff --git a/doc/api/apis/topics.raml b/doc/api/apis/topics.raml index c1bce96e..704fce19 100644 --- a/doc/api/apis/topics.raml +++ b/doc/api/apis/topics.raml @@ -1,7 +1,7 @@ #type: collection get: is: [ searchable: { searchFields: "name, desc, link" }, embeddable: { embedFields: "user,metacode" }, orderable, pageable ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: @@ -31,7 +31,7 @@ post: #type: item get: is: [ embeddable: { embedFields: "user,metacode" } ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: diff --git a/doc/api/apis/users.raml b/doc/api/apis/users.raml index 082af2f0..ec2e7d17 100644 --- a/doc/api/apis/users.raml +++ b/doc/api/apis/users.raml @@ -1,7 +1,7 @@ #type: collection get: is: [ searchable: { searchFields: "name" }, orderable, pageable ] - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] responses: 200: body: @@ -9,7 +9,7 @@ get: example: !include ../examples/users.json /{id}: #type: item - securedBy: [ null, token, oauth_2_0, cookie ] + securedBy: [ null, token, oauth_2_0 ] get: responses: 200: diff --git a/doc/api/pages/cookie_tutorial.md b/doc/api/pages/cookie_tutorial.md deleted file mode 100644 index 7bfa0825..00000000 --- a/doc/api/pages/cookie_tutorial.md +++ /dev/null @@ -1,3 +0,0 @@ -One way to access the API is through your browser. Log into metamaps.cc normally, then browse manually to https://metamaps.cc/api/v2/users/current. You should see a JSON description of your own user object in the database. You can browse any GET endpoint by simply going to that URL and appending query parameters in the URI. - -To run a POST or DELETE request, you can use the Fetch API. See the example in the next section. diff --git a/doc/api/pages/getting-started.md b/doc/api/pages/getting-started.md index 687cfa3f..184ffce3 100644 --- a/doc/api/pages/getting-started.md +++ b/doc/api/pages/getting-started.md @@ -1,2 +1,2 @@ -There are three ways to log in: cookie-based authentication, token-based authentication, or OAuth 2. If you're testing the API or making simple scripts, cookie-based or token-based is the best. If you're developing an app and want users to be able to log into Metamaps inside your app, you'll be able to use the OAuth 2 mechanism. Check the security tab of any of the endpoints above for instructions on logging in. +There are two ways to log in: token-based authentication, or OAuth 2. If you're testing the API or making simple scripts, token-based is the best. If you're developing an app and want users to be able to log into Metamaps inside your app, you'll be able to use the OAuth 2 mechanism. Check the security tab of any of the endpoints above for instructions on logging in. diff --git a/doc/api/pages/token_tutorial.md b/doc/api/pages/token_tutorial.md index b0d20ca4..7278073b 100644 --- a/doc/api/pages/token_tutorial.md +++ b/doc/api/pages/token_tutorial.md @@ -1,25 +1,26 @@ -If you are logged into the API via another means, you can create a token. Once you have this token, you can append it to a request. For example, opening a private window in your browser and browsing to `https://metamaps.cc/api/v2/users/current?token=...token here...` would show you your current user, even without logging in by another means. +You can create a token by using the API, or you can get your first token at https://metamaps.cc/tokens/new. Once you have this token, you can append it to a request. For example, opening a private window in your browser and browsing to `https://metamaps.cc/api/v2/users/current?token=...token here...` would show you your current user, even without logging in by another means. -To get a list of your current tokens, you can log in using cookie-based authentication and run the following fetch request in your browser console (assuming the current tab is on some page within the `metamaps.cc` website. +To get a list of your current tokens (while logged in to the main site), you can run the following fetch request in your browser console (assuming the current tab is on some page within the `metamaps.cc` website. The token you need to append to the url will look something like `T1ZI012rseqF1XZWFBVj4JSXR5g3OpYC`, but this example token won't work for you. You need your own. ``` fetch('/api/v2/tokens', { method: 'GET', - credentials: 'same-origin' // needed to use the cookie-based auth + credentials: 'same-origin', // needed so the API knows which account you're logged in to }).then(response => { return response.json() }).then(console.log).catch(console.error) ``` -If this is your first time accessing the API, this list wil be empty. You can create a token using a similar method: +If this is your first time accessing the API, this list wil be empty. You can create a token over the API using a similar method: ``` -fetch('/api/v2/tokens', { - method: 'POST', - credentials: 'same-origin' +fetch('/api/v2/tokens?token=T1ZI012rseqF1XZWFBVj4JSXR5g3OpYC', { + method: 'POST' }).then(response => { return response.json() -}).then(console.log).catch(console.error) +}).then(payload => { + console.log(payload) +}).catch(console.error) ``` `payload.data.token` will contain a string which you can use to append to requests to access the API from anywhere. diff --git a/doc/api/securitySchemes/cookie.raml b/doc/api/securitySchemes/cookie.raml index fb1041b1..19c80ea8 100644 --- a/doc/api/securitySchemes/cookie.raml +++ b/doc/api/securitySchemes/cookie.raml @@ -1,3 +1,2 @@ -description: !include ../pages/cookie_tutorial.md type: x-cookie -displayName: Secured by cookie-based authentication +displayName: Accessible using cookie-based authentication