wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

More PR feedback

Browse source 
Add a couple of TODO sections
This commit is contained in:
Richard van der Hoff 2016-08-09 12:16:20 +01:00
parent 4b0e546eeb
commit ec81b4c9fe
1 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
specification/modules/cas_login.rst
View file

@ -53,6 +53,16 @@ The client starts the process by instructing the browser to navigate to
|/login/cas/redirect|_ with an appropriate ``redirectUrl``. Once authentication |/login/cas/redirect|_ with an appropriate ``redirectUrl``. Once authentication
is successful, the browser will be redirected to that ``redirectUrl``. is successful, the browser will be redirected to that ``redirectUrl``.
.. TODO-spec
Should we recommend some sort of CSRF protection here (specifically, we
should guard against people accidentally logging in by sending them a link
to ``/login/cas/redirect``.
Maybe we should recommend that the ``redirectUrl`` should contain a CSRF
token which the client should then check before sending the login token to
``/login``?
{{cas_login_redirect_cs_http_api}} {{cas_login_redirect_cs_http_api}}
{{cas_login_ticket_cs_http_api}} {{cas_login_ticket_cs_http_api}}
@ -72,6 +82,12 @@ the URI of the ``/login/cas/ticket`` endpoint, including the ``redirectUrl``
query-parameter. Because the homeserver may not know its base URI, this may query-parameter. Because the homeserver may not know its base URI, this may
also require manual configuration. also require manual configuration.
.. TODO-spec:
It might be nice if the server did some validation of the ``redirectUrl``
parameter, so that we could give more meaningful errors in the case of
faulty/poorly-configured clients.
Handling the authentication endpoint Handling the authentication endpoint
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~