add some kind of administration through the http DELETE method #4

Closed
opened 2 years ago by dawidkubis · 2 comments
Owner

Since moderation is an issue, but we don't generally do javascript, it seems like a http request on the specific post/thread uri should do the trick. This can be improved on the client side with an extension for convenience, or with some kind of API a simple management client could be made. The request would then be authorized with a header holding a key.
The big question right now is whether this key should be symmetric or not, and whether kchan should work with a single key or multiple keys.
Multiple keys would be great if they could be dynamically read from a file, like with .ssh/authorized_keys, but that kind of design is the opposite of where kchan is currently heading.
If the key is symmetric, then curl -X POST <adress>/<post/thread id> -H "Auth: <key>" should be good enough, but there are serious security concerns connected to using a symmetric key in this case.
Asymmetric key would in turn add another dependency, and then the -H Auth: would probably contain a private key encrypted post/thread id, which could be compared on the server side.
Maybe we could make this a compile-time feature? No idea.

Since moderation is an issue, but we don't generally do javascript, it seems like a http request on the specific post/thread uri should do the trick. This can be improved on the client side with an extension for convenience, or with some kind of API a simple management client could be made. The request would then be authorized with a header holding a key. The big question right now is whether this key should be symmetric or not, and whether kchan should work with a single key or multiple keys. Multiple keys would be great if they could be dynamically read from a file, like with `.ssh/authorized_keys`, but that kind of design is the opposite of where kchan is currently heading. If the key is symmetric, then `curl -X POST <adress>/<post/thread id> -H "Auth: <key>"` should be good enough, but there are serious security concerns connected to using a symmetric key in this case. Asymmetric key would in turn add another dependency, and then the `-H Auth:` would probably contain a private key encrypted post/thread id, which could be compared on the server side. Maybe we could make this a compile-time feature? No idea.
Poster
Owner

This should wait for #5 i think.

This should wait for #5 i think.
dawidkubis added the
enhancement
label 2 years ago
Poster
Owner

Administration added as of 7cf755b47b, authorization is not necessary since it can be handled in nginx. Kchan does not authorize requests, but simply does as it is told upon receiving a DELETE request. A client side script/extension can be used for convenience, but that is entirely up to the user.

Administration added as of 7cf755b47b41fe7768c9300438b1ae02f6dbf918, authorization is not necessary since it can be handled in nginx. Kchan does not authorize requests, but simply does as it is told upon receiving a DELETE request. A client side script/extension can be used for convenience, but that is entirely up to the user.
dawidkubis closed this issue 2 years ago
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: dawidkubis/kchan#4
Loading…
There is no content yet.