feature: Implement authentication for API v2 based on OAuth2 potocol. #388
Task list completed / task-list-completed
succeeded
Feb 13, 2024 in 0s
2 / 2 tasks completed
All tasks have been completed
Details
Required Tasks
| Task | Status |
|---|---|
The changes pass pre-commit checks (make lint) |
Completed |
| The changes follow coding style | Completed |
since this is meant to be an api for custom web apps (other than the osu! client), i think we should use jwt for it's symmetric key verification mechanism to avoid storing raw access tokens in our application. we can include verifiable claims in the token such as a token_id, which can be stored server-side to enable token revocation by server staff without the storage of a signed access token. |
Incomplete |
| i'm not certain whether it's best to persist access tokens vs. refresh tokens vs. both -- i'll have to look a bit deeper into the oauth 2.0 standard to see if there's a reason to prefer one over the other. | Incomplete |
| ability for server staff to revoke all sessions for a given user | Incomplete |
| ability server staff to temporarily disable a user's account | Incomplete |
| there isn't much client-identifying information being collecting alongside the authorization grants -- i think it would be wise to store simple identification information such as the client ip address, and user agent along with grants or tokens. | Incomplete |
| there are some implementation-specifics that need adjustments -- shouldn't be very major; the previously mentioned issues are more important/fundamental than these implementation specifics. | Incomplete |
Loading