feat(api): add fortify login route to retrieve api key #2455

wescopeland · 2024-05-20T22:28:15Z

The PR adds a new V2 web API route:

POST https://localhost:64000/api/v2/login

# Request Payload
{
  "username": "MyUsername"
  "password": "MyPassword"
}

# Response Payload
{
  "webApiKey": "XXXXXXXXXXXXXXXXXXXXXXXXXX"
}

This route will conceivably allow emulation front-ends to exchange user credentials for a user's web API key, ideally to ween them off the Connect API (for which they're currently exchanging credentials for a connect token).

Security Considerations:

Error messages are intentionally obtuse.
The route is secured by Fortify (just like our web logins), not authenticateFromPassword().
The route uses the same rate limiter as the site's login page.

wescopeland · 2024-05-20T22:37:58Z

Documented at RetroAchievements/api-docs#46.

Jamiras · 2024-05-29T22:43:05Z

app/Api/Controllers/WebApiController.php

+ return response()->json(['webApiKey' => $user->api_token]);
+ }
+
+ return response()->json(['error' => 'Something went wrong'], 400);


I understand the necessity to not reveal too much, but would it be correct to return "Invalid user/password" here like we do for connect?

I know @luchaos wants to move to a response structure more in line with the official JSON API docs: https://discord.com/channels/476211979464343552/757767535293890682/1132370669938671758.

I think a response formatted in that manner would look like:

{ "errors": [ { "status": "401", "code": "invalid_credentials", "title": "Invalid username/password", } ] }

I would really like to get his feedback on anything we're going to call V2 of the API.

Connect also has a secondary "access denied" error if the credentials are valid, but the account's email address hasn't yet been verified.

An alternative to putting this in the V2 API namespace might be to return something like APIKey from r=login2. I would be happy to put this in the V1 Web API, but it's designed to only accept authenticated GET requests.

Jamiras · 2024-05-29T22:45:39Z

app/Api/Controllers/WebApiController.php

@@ -34,4 +36,25 @@ public function users(Request $request): JsonResponse
 'data' => $request->input(),
 ], 501);
 }
+
+ public function login(Request $request): JsonResponse


Is it possible to add unit tests for this? I would really like everything in the V2 API to have good test coverage.

Yes - certainly. Pending if we decide to keep this in here, I'm happy to add code coverage.

wescopeland added 2 commits May 20, 2024 18:22

feat(api): add fortify login route to retrieve api key

5a42c5b

chore: rename route to login

91f3503

wescopeland requested a review from a team May 20, 2024 22:28

Jamiras reviewed May 29, 2024

View reviewed changes

wescopeland closed this Jul 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(api): add fortify login route to retrieve api key #2455

feat(api): add fortify login route to retrieve api key #2455

wescopeland commented May 20, 2024 •

edited

Loading

wescopeland commented May 20, 2024

Jamiras May 29, 2024

Jamiras May 29, 2024

Jamiras May 29, 2024

wescopeland May 30, 2024 •

edited

Loading

Jamiras May 29, 2024

wescopeland May 30, 2024

feat(api): add fortify login route to retrieve api key #2455

feat(api): add fortify login route to retrieve api key #2455

Conversation

wescopeland commented May 20, 2024 • edited Loading

wescopeland commented May 20, 2024

Jamiras May 29, 2024

Choose a reason for hiding this comment

Jamiras May 29, 2024

Choose a reason for hiding this comment

Jamiras May 29, 2024

Choose a reason for hiding this comment

wescopeland May 30, 2024 • edited Loading

Choose a reason for hiding this comment

Jamiras May 29, 2024

Choose a reason for hiding this comment

wescopeland May 30, 2024

Choose a reason for hiding this comment

wescopeland commented May 20, 2024 •

edited

Loading

wescopeland May 30, 2024 •

edited

Loading