Hacker News new | ask | show | jobs
by jonny_eh 2930 days ago
I came here to say just that. If you have to opt-in to doing the right thing, then the API is NOT secure.
2 comments
shawnz 2930 days ago
Ultimately you have to opt-in to doing any checks in the first place, no matter the API. So does that make every API insecure, since you could always just "return true" at the bottom of your authentication function?

To put it differently: Who's to say whether they were using the checks wrong, or just doing the wrong checks?

link
augbog 2930 days ago
They might have done it because existing people weren't doing it and it would have introduced a breaking change potentially.

Not making an excuse for them though. They should have done that.

link
saghm 2930 days ago
Preventing users from doing something insecure sounds like a perfect reason to make a breaking change.
link