[asterisk-app-dev] Removal of api_key

Paul Belanger paul.belanger at polybeacon.com
Thu Oct 17 12:21:59 CDT 2013


On Thu, Oct 17, 2013 at 11:54 AM, Corey Edwards <tensai at zmonkey.org> wrote:
> On Thu, Oct 17, 2013 at 8:05 AM, David M. Lee <dlee at digium.com> wrote:
>>
>> On Oct 17, 2013, at 12:22 AM, Paul Belanger <paul.belanger at polybeacon.com> wrote:
>>
>>> Now, the reason for having it was because this was the default way
>>> swagger passed credentials via HTTP.  I'm not sure why they didn't
>>> simply add http://username:password@example.org support, but that is a
>>> different issue (in fact I plan to open a bug upstream).
>>
>> There have been a few cases where an HTTP or WebSocket client library
>> didn't support HTTP Basic auth. Putting the HTTP Basic auth header in
>> there is not hard, but adding an ?api_key param is dead simple.
>
> The Perl Protocol::WebSocket library does not support Basic auth and having
> api_key available was a very useful feature to me. I could imagine many other
> websocket libraries being the same way. Compared to basic auth, I don't
> see any significant security risk.
>
So, I just wrote a basic demo in perl, man what a pain getting cpan
working on my linux box.  You look to be correct about
Protocol::WebSocket, however I was able to get basic auth working[1]
using Mojo::UserAgent.

Again, I feel we're adding api_key to work around to clients would
don't properly support WS.

https://gist.github.com/pabelanger/7028799

-- 
Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger



More information about the asterisk-app-dev mailing list