?
avatar PhilETaylor
PhilETaylor
31 May 2020

Steps to reproduce the issue

The text on the Joomla API Token is currently:

Manage the security tokens used for authenticating to the Joomla API application (remote access to your site). If you are not sure what this does chances are you don't need it and can safely ignore these settings.

One can argue that If you are not sure what this does then you should ensure that the token is not set to active and that you should not be encouraged to ignore these settings.

One could argue that If you are not sure what this does then it should NOT be active and you CANNOT safely ignore these settings if it IS set to active.

Maybe better text could be something like

Manage the security tokens used for authenticating to the Joomla API application (remote access to your site). If you are not sure what this does chances are you don't need it and you should ensure that it is not set to active and just ignore the token

avatar PhilETaylor PhilETaylor - open - 31 May 2020
avatar joomla-cms-bot joomla-cms-bot - change - 31 May 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 31 May 2020
avatar PhilETaylor PhilETaylor - change - 31 May 2020
The description was changed
avatar PhilETaylor PhilETaylor - edited - 31 May 2020
avatar nikosdion
nikosdion - comment - 31 May 2020

If you had participated in the original discussion you'd have probably understood the context better.

You CAN safely ignore the settings if you don't need the token. A token will be created for you and nobody who doesn't have access to your profile will know about it. Moreover, the token was implemented in such a way that brute forcing it would take a few million times the time to the heat death of the universe with current technology.

The other option was to disable by default either the user or the API authentication plugin that implements the token. However, this would create the problem of the feature being essentially hidden. While right now this wouldn't be that big of a deal, the intent of the API application is to power core backend and frontend components in the future. This means that unless we enable the token plugins by default we can't even begin to implement that vision.

Finally, the API token is meant to be more than just a Joomla API application authentication token. It's also meant to be something that 3PDs can use to provide secure remote access to their extensions either directly (for now that the API application is limited to Super Users) and through the API application later. Having unified token managed today helps pave the way for tomorrow.

avatar PhilETaylor PhilETaylor - change - 31 May 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-05-31 17:23:28
Closed_By PhilETaylor
avatar PhilETaylor PhilETaylor - close - 31 May 2020
avatar PhilETaylor
PhilETaylor - comment - 31 May 2020

Awesome - thanks for the explanation.

I look forward to tomorrow.

Add a Comment

Login with GitHub to post a comment