The text on the Joomla API Token is currently:
Manage the security tokens used for authenticating to the Joomla API application (remote access to your site). If you are not sure what this does chances are you don't need it and can safely ignore these settings.
One can argue that If you are not sure what this does
then you should ensure that the token is not set to active
and that you should not be encouraged to ignore these settings.
One could argue that If you are not sure what this does
then it should NOT be active and you CANNOT safely ignore these settings
if it IS set to active.
Maybe better text could be something like
Manage the security tokens used for authenticating to the Joomla API application (remote access to your site). If you are not sure what this does chances are you don't need it and you should ensure that it is not set to active and just ignore the token
Labels |
Added:
?
|
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-05-31 17:23:28 |
Closed_By | ⇒ | PhilETaylor |
Awesome - thanks for the explanation.
I look forward to tomorrow.
If you had participated in the original discussion you'd have probably understood the context better.
You CAN safely ignore the settings if you don't need the token. A token will be created for you and nobody who doesn't have access to your profile will know about it. Moreover, the token was implemented in such a way that brute forcing it would take a few million times the time to the heat death of the universe with current technology.
The other option was to disable by default either the user or the API authentication plugin that implements the token. However, this would create the problem of the feature being essentially hidden. While right now this wouldn't be that big of a deal, the intent of the API application is to power core backend and frontend components in the future. This means that unless we enable the token plugins by default we can't even begin to implement that vision.
Finally, the API token is meant to be more than just a Joomla API application authentication token. It's also meant to be something that 3PDs can use to provide secure remote access to their extensions either directly (for now that the API application is limited to Super Users) and through the API application later. Having unified token managed today helps pave the way for tomorrow.