A one-call login API would be swell
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Evergreen 2.12 / Wishlist
The Evergreen login process currently requires 2 API calls, with an intermediate layer of MD5 password hashing. This process is unnecessarily complex. It complicates client code by requiring an MD5 library and raises the bar to entry for 3rd-party services needing to authenticate with Evergreen.
I propose a new API call open-ils.auth.login (thanks Jason Stephenson for name suggestion) which performs both parts of open-ils.
For example:
srfsh# request open-ils.auth open-ils.auth.login
{"username"
We also have a chance to improve how we use the generic "identifier" parameter. The "identifier" is passed by the caller when the caller wants the server to determine if a value is a username or barcode. The existing .init API is limited by checking the barcode regex setting at the root org unit, since it does not support an "org" parameter. With the new API, a combination of "identifier" and "org" allows the server to reliably determine whether a value is a username or barcode, in the same way that (for example) the TPAC does. The barcode regex check would no longer need to happen in the UI code.
Code en route.
Changed in evergreen: | |
assignee: | nobody → Galen Charlton (gmc) |
Changed in evergreen: | |
assignee: | nobody → Mike Rylander (mrylander) |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Yeah, it's probably time for this.
One of the advantages of CHAP was its ability to work over an unencrypted transport. Of course, nowadays we have much more assurance that TLS will be in the mix, but it might be a niceness to take this as an opportunity to teach the gateway/translator that designated APIs should not be available if it thinks that the request is being served over HTTP (or if the admin hasn't flipped a setting to indicate that a particular Apache instance is sitting behind a proxy that's taking care of endpoint HTTPS).