1103331 - Users should be able to retrieve room name even if they're not in the room

Status: RESOLVED FIXED

(Hello (Loop) :: Server, defect)

Description

[Maria Angeles Oteo (:oteo)]

With shared urls the API to retrieve basic information about the room with a token (https://docs.services.mozilla.com/loop/apis.html#get-calls-token) was public so basic information about the call could be shown to the user before he joins it.

With rooms, we have not found anything similar. The equivalent method (https://wiki.mozilla.org/Loop/Architecture/Rooms#GET_.2Frooms.2F.7Btoken.7D) only works if the user has previously joined the room.

We believe in some cases showing the room name in advance would encourage users to join it.

Comment 1

[Alexis Metaireau (:alexis)]

Currently, the server does require authentication to get information about a room, that's correct.
I believe the best way to get metadata information about the rooms would be to do a call without being authenticated.

In case we're getting a non-authenticated call on GET /rooms/:token, then we would return the public metadata information:

    roomToken, The token used to identify this room.
    roomName, The name of the room.
    roomUrl, A URL that can be given to other users to allow them to join the room.
    roomOwner, The user-friendly display name indicating the name of the room’s owner.
    expiresAt, The time (in seconds since the Unix epoch) at which the room goes away.
    ctime, The time, in seconds since the Unix epoch, that any of the following happened to the room

Adam, does that seem correct to you? Is it okay to actually expose the roomOwner field for instance?

Comment 2

[Adam Roach [:abr]]

(In reply to Alexis Metaireau (:alexis) from comment #1)
> Currently, the server does require authentication to get information about a
> room, that's correct.
> I believe the best way to get metadata information about the rooms would be
> to do a call without being authenticated.

Okay, let's move forward with that, then.

> In case we're getting a non-authenticated call on GET /rooms/:token, then we
> would return the public metadata information:
> 
>     roomToken, The token used to identify this room.
>     roomName, The name of the room.
>     roomUrl, A URL that can be given to other users to allow them to join
> the room.
>     roomOwner, The user-friendly display name indicating the name of the
> room’s owner.
>     expiresAt, The time (in seconds since the Unix epoch) at which the room
> goes away.
>     ctime, The time, in seconds since the Unix epoch, that any of the
> following happened to the room
> 
> Adam, does that seem correct to you? Is it okay to actually expose the
> roomOwner field for instance?

So, I think I'd want to hide the expiresAt and ctime fields, since changes in those fields imply that the room is actively being used, which is probably something we don't want exposed. I could come up with several scenarios in which you could do some pretty creepy things with that information, especially if you queried it periodically.

I can't think of any privacy implications involved in exposing the roomOwner; let's leave that in for unauthenticated queries.

Comment 3

[Mathieu Leplatre [:leplatrem]]

Attachment: PR 271

Comment 4

[Rémy Hubscher (:natim)]

https://github.com/mozilla-services/loop-server/commit/839170b6c7bb8d324d007bfa01d0cdd0d297bac2

Comment 5

[Mathieu Leplatre [:leplatrem]]

Attachment: PR on Github docs

Comment 6

[Rémy Hubscher (:natim)]

Documentation https://github.com/mozilla-services/docs/commit/ce0d4f84adff65f955ab6628787efa88776b8c98