Topics

BREAKING CHANGES #important


 

Hello,

There are some upcoming breaking changes to the API. 

The most important change is that we're switching from HTTP Basic Auth to a cookies based authentication. Starting now, the /login endpoint will set one or more cookies. The `token` field in the returned login object will be blank. Your existing Basic Auth tokens will continue to work until the end of September, or when they expire, whichever comes first.

Along with switching to a cookies based authentication system, we have added CSRF protection to all POST endpoints. When using the `login` endpoint, the User structure that's returned now includes a `csrf_token` field. Use that value for the `csrf` POST parameter now required by these endpoints. NOTE: During this transition period, if you use HTTP Basic Auth, the csrf POST value is not required, so your code should continue to work.

Finally, we are switching the domain of the API. It has been https://api.groups.io. It is moving to https://groups.io/api/. The old domain will continue to work until the end of September, but please update your code as soon as possible.

I apologize for this, but these changes are needed. The switch to a cookies-based authentication was to support chat; no Javascript websocket libraries support Basic Authentication or adding HTTP header fields. The other changes were a result of this as well.

Your code should continue to work as is until the end of September, but please update as soon as possible. Please let me know if you have any questions.

Thanks,
Mark


ajomccauley@...
 

Hi and thank you!  Did the change happen at the end of September?  I'm new to groups.io and the API, poking around, and when I ran the login object, it included a token field with a super long string in it -- but I see the cookie authentication info in the documentation, so, just wanted to check.  Thanks!


 

On Fri, Nov 22, 2019 at 10:59 PM <ajomccauley@...> wrote:
Hi and thank you!  Did the change happen at the end of September?  I'm new to groups.io and the API, poking around, and when I ran the login object, it included a token field with a super long string in it -- but I see the cookie authentication info in the documentation, so, just wanted to check.  Thanks!
_._,_._,_

That's legacy and I've just removed it.

Thanks,
Mark