You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Auth routes are not specified (documented, validated)
Different auth backends have different inputs and responses. They are chosen at startup time based on a cli option.
The current situation is that each auth backend uses the same URLs for routes. Also the inputs and responses are not specified/documented, and are manually validated (rather than using the backend generated validation).
Understanding the code is more difficult(for backend developers, API users, and operators). Maintenance is harder, because changes in the spec need to be done and kept in sync manually. Operators don't have a documented REST API spec, meaning they might find it difficult to know how it works and complete tasks like hardening the API. Validation can not be done by automatically by the backend or the frontend (currently only the backend is using the spec for automatic validation).
Since this area of code has no tests, not having docs or a spec here means the code is lower quality. This is not an ideal situation for portions of the codebase which have a high impact on the security of the system (as auth does).
The text was updated successfully, but these errors were encountered:
Auth routes are not specified (documented, validated)
Different auth backends have different inputs and responses. They are chosen at startup time based on a cli option.
The current situation is that each auth backend uses the same URLs for routes. Also the inputs and responses are not specified/documented, and are manually validated (rather than using the backend generated validation).
See:
Impact
Understanding the code is more difficult(for backend developers, API users, and operators). Maintenance is harder, because changes in the spec need to be done and kept in sync manually. Operators don't have a documented REST API spec, meaning they might find it difficult to know how it works and complete tasks like hardening the API. Validation can not be done by automatically by the backend or the frontend (currently only the backend is using the spec for automatic validation).
Since this area of code has no tests, not having docs or a spec here means the code is lower quality. This is not an ideal situation for portions of the codebase which have a high impact on the security of the system (as auth does).
The text was updated successfully, but these errors were encountered: