Page MenuHomePhabricator
Create Task
Maniphest T170438

Edit token should not be required when an Authorization (OAuth) header is present
Closed, DuplicatePublic
Actions

Description

When using OAuth for write actions, a token should not be required. Since cookies are not being used for authentication/authorization, then the authorization is stateless and retrieving an edit token is an unnecessary step that does not add any additional security.

Perhaps it would be best to ignore any cookies / sessions when the Authorization header is present?

Event Timeline

dbarratt created this task.Jul 12 2017, 4:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 12 2017, 4:37 PM
dbarratt renamed this task from Edit token should not be required when an Authorization header is present (OAuth). to Edit token should not be required when an Authorization (OAuth) header is present.Jul 12 2017, 4:37 PM
dbarratt updated the task description. (Show Details)
Tgr closed this task as a duplicate of T126257: The API should not require CSRF tokens for an OAuth request.Jul 12 2017, 4:46 PM
dbarratt added a subscriber: EvanProdromou.Jun 14 2019, 6:27 PM
This comment was removed by dbarratt.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL