Include client key in a header, not the URL

Since this value is used both for identification and authentication, it
shouldn't be in the URL where it might be logged or otherwise
discovered.
This commit is contained in:
Dustin J. Mitchell 2020-12-28 23:08:42 +00:00
parent 92d629522b
commit 31378cb8d4
5 changed files with 68 additions and 41 deletions

View file

@ -69,10 +69,11 @@ The transactions above are realized for an HTTP server at `<origin>` using the H
The `origin` *should* be an HTTPS endpoint on general principle, but nothing in the functonality or security of the protocol depends on connection encryption.
The replica identifies itself to the server using a `clientKey` in the form of a UUID.
This value is passed with every request in the `X-Client-Id` header, in its dashed-hex format.
### AddVersion
The request is a `POST` to `<origin>/client/<clientId>/add-version/<parentVersionId>`.
The request is a `POST` to `<origin>/client/add-version/<parentVersionId>`.
The request body contains the history segment, optionally encoded using any encoding supported by actix-web.
The content-type must be `application/vnd.taskchampion.history-segment`.
@ -86,7 +87,7 @@ Other error responses (4xx or 5xx) may be returned and should be treated appropr
### GetChildVersion
The request is a `GET` to `<origin>/client/<clientId>/get-child-version/<parentVersionId>`.
The request is a `GET` to `<origin>/client/get-child-version/<parentVersionId>`.
The response is 404 NOT FOUND if no such version exists.
Otherwise, the response is a 200 OK.
The version's history segment is returned in the response body, with content-type `application/vnd.taskchampion.history-segment`.