Users should be able to retrieve room name even if they're not in the room

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: oteo, Assigned: leplatrem)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [loop-server-0.15])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
With shared urls the API to retrieve basic information about the room with a token (https://docs.services.mozilla.com/loop/apis.html#get-calls-token) was public so basic information about the call could be shown to the user before he joins it.

With rooms, we have not found anything similar. The equivalent method (https://wiki.mozilla.org/Loop/Architecture/Rooms#GET_.2Frooms.2F.7Btoken.7D) only works if the user has previously joined the room.

We believe in some cases showing the room name in advance would encourage users to join it.
(Reporter)

Updated

4 years ago
Blocks: 1097703
Currently, the server does require authentication to get information about a room, that's correct.
I believe the best way to get metadata information about the rooms would be to do a call without being authenticated.

In case we're getting a non-authenticated call on GET /rooms/:token, then we would return the public metadata information:

    roomToken, The token used to identify this room.
    roomName, The name of the room.
    roomUrl, A URL that can be given to other users to allow them to join the room.
    roomOwner, The user-friendly display name indicating the name of the room’s owner.
    expiresAt, The time (in seconds since the Unix epoch) at which the room goes away.
    ctime, The time, in seconds since the Unix epoch, that any of the following happened to the room

Adam, does that seem correct to you? Is it okay to actually expose the roomOwner field for instance?
Flags: needinfo?(adam)

Comment 2

4 years ago
(In reply to Alexis Metaireau (:alexis) from comment #1)
> Currently, the server does require authentication to get information about a
> room, that's correct.
> I believe the best way to get metadata information about the rooms would be
> to do a call without being authenticated.

Okay, let's move forward with that, then.

> In case we're getting a non-authenticated call on GET /rooms/:token, then we
> would return the public metadata information:
> 
>     roomToken, The token used to identify this room.
>     roomName, The name of the room.
>     roomUrl, A URL that can be given to other users to allow them to join
> the room.
>     roomOwner, The user-friendly display name indicating the name of the
> room’s owner.
>     expiresAt, The time (in seconds since the Unix epoch) at which the room
> goes away.
>     ctime, The time, in seconds since the Unix epoch, that any of the
> following happened to the room
> 
> Adam, does that seem correct to you? Is it okay to actually expose the
> roomOwner field for instance?

So, I think I'd want to hide the expiresAt and ctime fields, since changes in those fields imply that the room is actively being used, which is probably something we don't want exposed. I could come up with several scenarios in which you could do some pretty creepy things with that information, especially if you queried it periodically.

I can't think of any privacy implications involved in exposing the roomOwner; let's leave that in for unauthenticated queries.
Flags: needinfo?(adam)
Blocks: 1114563
(Assignee)

Comment 3

4 years ago
Created attachment 8542538 [details] [review]
PR 271
Attachment #8542538 - Flags: review?(rhubscher)
Attachment #8542538 - Flags: review?(alexis+bugs)
Attachment #8542538 - Flags: review?(rhubscher)
Attachment #8542538 - Flags: review?(alexis+bugs)
Attachment #8542538 - Flags: review+
https://github.com/mozilla-services/loop-server/commit/839170b6c7bb8d324d007bfa01d0cdd0d297bac2
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Whiteboard: [loop-server-0.15]
(Assignee)

Comment 5

4 years ago
Created attachment 8542576 [details] [review]
PR on Github docs
Attachment #8542576 - Flags: review?(rhubscher)
Attachment #8542576 - Flags: review?(alexis+bugs)
Attachment #8542576 - Flags: review?(rhubscher)
Attachment #8542576 - Flags: review?(alexis+bugs)
Attachment #8542576 - Flags: review+
Assignee: nobody → mathieu
You need to log in before you can comment on or make changes to this bug.