Add QueryParam auth plugin support #267
Conversation
|
@Nyholm I have an issue with the always empty I'm investigating, but if you have a clue to give... ;-) |
Which line? |
|
@Nyholm https://github.com/php-http/HttplugBundle/pull/267/files#diff-850942b3ba24ab03a40aaa81b6152852R544 In a nutshell, But I'm not sure we can remove it from the config if the array is empty. 🤔 |
|
Be more pragmatic =) Write a special case for |
|
@Nyholm The issue is So yes, I can just unset Or maybe the idea you have is different? |
|
@Nyholm I did an unset on the validation. Does it seem ok to you? The other fails are note related AFAIK. |
There was a problem hiding this comment.
thanks for this pull request.the risk with query parameters for credentials is that they show up in all kind of access logs from the server, proxies and the browser history. its not much of an injection risk like other things with query parameters (if i can trick you to login with somebody's account, that is not an issue - the injection problem is when i can trick you to click a link that executes some operation with your own login).
can you please provide a pull request for php-http/documentation to document this feature as well? maybe add the warning about passwords showing up in access logs and the browser history?
@Nyholm did a bunch of cleanup on master, but afaik there is still something failing for some versions. could you rebase on master nonetheless?
I totally agree! But the targeted API maintainer does not seems to be agree. BTW, the maintainer is Google, f*ck yeah! They is a risk, but I don't think we should log the emitted request on production. I'll take a look for the documentation and the rebase. |
|
Please see php-http/documentation#238. |
|
Is anything missing to get this merged and released? |
|
Thank you for the ping. |
|
Thank you for the merge @Nyholm ! May we have a new release? :-) |
What's in this PR?
Add missing support for the
QueryParamauth plugin.Why?
Because there is no reason to not have it. :-D