API: Can I authenticate without putting the key in the URL?

api
pr-welcome

#1

Continuing the discussion from Discourse API Documentation:

An unfortunate (in this context) characteristic of GET parameters is that they get logged all over the place, possibly including the discourse server, load balancers or proxies closer to the client.

Is there a way to provide the authentication details other than as GET parameters? E.g. many APIs allow for them to be passed via a custom HTTP header.


(Blake Erickson) #2

I don’t believe there is support to put the parameters in the header, but you can put them in the body of the request and not as part of the url.


#3

Using POST where I mean GET might work, but it’s icky at best. Arguably it’s a bug if POST is accepted in most contexts where GET is what’s meant, and I would be wary about assuming that wouldn’t become the case if it’s not now.

I wonder if there’s an OAuth based approach to be had?


(Blake Erickson) #4

I believe you can send the api parameters inside the body even in a GET request.

I believe this is how the discourse_api does it.


#5

As your linked post says, giving semantic meaning to the body of a GET request is a violation of the spec.

Looking over how github does it, using basic http authentication looks rather straight-forward.


(Sam Saffron) #6

I don’t mind adding support for HTTP headers used for auth like S3 does, etc … submit a PR


(Adam Beers) #7

Was this submitted? Am I able to authenticate with Authorization headers via the API?


(Blake Erickson) #8

I don’t think this has been done yet.


(Sam Saffron) #9

This is absolutely something I want to support and something the user API already supports.


(Anton) #10

Before that, should we send authentication parameters in request body for all GET requests? Or what is the best workaround?