Part of increasing adoption on Urbit involves making it more available for developers as a platform. Josh & I have talked about this a bit and I’m sure many of you have as well. I’ve been working on a document to PR to urbit/docs that summarizes the method by which developers can implement “airlock,” otherwise known as urbit’s API.
https://gist.github.com/tylershuster/74d69e09650df5a86c4d8d8f00101b42 ( I would appreciate your feedback on that doc in the comment box ).People seem to assume that you need to learn a rather esoteric language to develop on urbit, and this poses a high barrier to entry for developers developers developers developers. This doc will go a long way in ameliorating those concerns, I hope.
However, I’m concerned that the current method of authentication is a bit convoluted, even with documentation.
The current API authentication uses the following flow:
1. make a POST to /~login with your code as form data.
2. receive a cookie back in the set-cookie headers
3. send that cookie on any subsequent requests
This works, basically. Here’s what I like about it, before I say what’s wrong: It uses existing mechanisms (form data, set-cookie, cookies automatically sent)
I would like to preserve that simplicity, and now that CORS has some tools it works for the browser pretty well.
There are some problems, however. From a social perspective, it’s a bit unprofessional for a general purpose API. It’s fine when you’re working with one client but I worry that it will draw criticism for other reasons than I can think of here:
For instance, browsers don’t allow you to manually set Cookie headers so if you’re using a library like axios or a fetch polyfill you get some behavior that’s hard to work around.
Another problem is just ease of use. Most people are used to sending a POST variable for authentication, or a header that’s….not cookie. Basically cookies are for browsers and we’re working on expanding from the browser context to increase adoption.
I wonder if we could progressively enhance auth to follow something like the following behavior:
1. Make a POST to /~login with your code as form data. (this feels fine to me)
2. Receive both the current set-cookie header (for browsers) as well as a JSON object with the same info: {ship: ‘~zod’, key: ‘12345’}
3. Send that structured info with subsequent requests with
Basic Authentication. Let the browser use cookies as it does currently.
It *seems* to me that we could keep the existing behavior and account for this.
I’d like to know your thoughts. This isn’t an immediate concern, but I feel like it’s fairly low-work, high-reward.