246
SPAs were a mistake (lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
[-] omgarm@feddit.nl 41 points 11 months ago

Can a non-programmer get some explanation?

[-] walter_wiggles@lemmy.nz 25 points 11 months ago

HttpOnly cookies can't be read by javascript, so there's no way to set the bearer token in the Authorization header.

[-] FleaCatcher@lemmy.world 110 points 11 months ago

You have a very wild fantasy of what a non-programmer is.

[-] Reddfugee42@lemmy.world 21 points 11 months ago

Okay, well have you ever used a dinglehopper?

[-] killeronthecorner@lemmy.world 10 points 11 months ago

I've smoothed a schleem or two in my time

[-] webghost0101@sopuli.xyz 10 points 11 months ago

An API lets different software talk to each other. HttpOnly uses secure tokens (think password) that a server uses to confirm identity.

Bearer tokens also confirm identity but the added security provided by HttpOnly does not allow passing such within the api information.

[-] xkforce@lemmy.world 18 points 11 months ago

They asked for ELI5 and you gave them ELI CS undergrad

[-] peopleproblems@lemmy.world 13 points 11 months ago

To be completely fair to the attempt, there is a reason we have decent incomes.

[-] webghost0101@sopuli.xyz 2 points 11 months ago* (last edited 11 months ago)

Ok il attempt again, take in mind though i am no expert in this field either.

An api is a system that allows software to talks to eachother. It does this by sending structural packages back and forth that can be read by software.

Such package usually includes a secure identifier to confirm authorized acces ( like a token) as well as a formal request (show me/edit/remove this specific data)

The api receives the data package, and if the authorization is valid executes the request.

The way I understand it (i am no expert on this ) onlyhttp is a way to provide authorization tokens through a browser cookie (you know those right?), meaning only that browser can have access with that token. The client person never sees the token so its pretty secure in the background.

The bearer token is similar to the one in the browser coockie but the client person needs to enter it inside the package for the api. This can happen from any browser or script by anyone who knows the bearer token. Except Apparantly you cant enter such tokens at all if the api is set to onlyhttp.

load more comments (4 replies)
load more comments (9 replies)
this post was submitted on 12 Dec 2023
246 points (95.9% liked)

Programmer Humor

32495 readers
575 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS