Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upSwitch authentication method precedence #164
Merged
Conversation
|
This is particularly necessary because the PHP API always returns a guest session cookie, even when authenticated with an API token. This means that if you make an API call with token to PHP first, and then to Node, and your client saves the cookie (as many do), the second request will fail with a 403 |
|
makes sense! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
This changes the behavior of the auth strategies:
The only practical difference is that if both methods are passed, the token takes precedence. This does not have any impact for requests that have no
Authorizationheader set, performance or otherwise, as the entire strategy is not executed in that case (which I verified).This aligns behavior with our prior PHP API and also makes more sense in my opinion, as one is way more likely to accidentally send a cookie than an API token.