Closed Bug 861343 Opened 11 years ago Closed 11 years ago

[MakeAPI] Implement API security model

Categories

(Webmaker Graveyard :: MakeAPI, defect)

Product:
Webmaker Graveyard
Component:
MakeAPI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cade, Assigned: cade)

References

Details

(Whiteboard: u=dev c=makeAPI p=1 s=2013w17)

Attachments

(1 file, 1 obsolete file)

https://github.com/mozilla/MakeAPI/pull/25
42 bytes, text/x-github-pull-request
jon
: review+
Details | Review 
Certain actions will require authentication.
Component: General → MakeAPI
Whiteboard: [MakeAPI] → u=dev c=makeAPI p=1 s=2013w16
Assignee: nobody → chris
Gonna write some things in my head down:

Create, update, delete: limit to authenticated webmakers. requests for new makes must originate from one of our domains (thimble.wm.org, popcorn.wm.org, etc)

I'm not sure how limited we want searching to be. But if we're keeping it to webmaker tools, then requests must originate from our domains.
Attached file Fix Routes, make Search us GET (obsolete) — 
https://github.com/mozilla/MakeAPI/pull/13
Attachment #739216 - Flags: review?(schranz.m)
Comment on attachment 739216 [details] [review]
Fix Routes, make Search us GET

gah, wrong bug.
Attachment #739216 - Flags: review?(schranz.m)
There have been a few ideas thrown around for this.

The first is a separation into two apps. the first would sit behind a firewall and only be accessible from our apps. It will be able to do create/update/delete on the assumption that our apps have an authenticated user triggering the actions. The second app would be a public facing search endpoint that doesn't require authentication to query.

In talking with :sedge we threw around some ideas where the SSO app could generate tokens or API keys for logged in users to use with the API for create/update/delete. The only useful reason to have that is for admins to be able to log in using a web interface that's not backed by a node app and can make authenticated calls.

thoughts?
Flags: needinfo?
Need info flag without the person from whom you need info isn't gonna get you anywhere, sadly :) You can tag multiple people with a comma separated list.

Any further update / discussion here?
Flags: needinfo?
I spoke with some of the webdev team members, and we thought that adding basic authentication would be the easiest method. You could configure a list of accepted username/password pairs on the MakeAPI side, then hand out these credentials for each server that needed priveleged write access to the MakeAPI.
(In reply to Jon Buckley [:jbuck] from comment #6)
> I spoke with some of the webdev team members, and we thought that adding
> basic authentication would be the easiest method. You could configure a list
> of accepted username/password pairs on the MakeAPI side, then hand out these
> credentials for each server that needed priveleged write access to the
> MakeAPI.

That seems like a workable approach. Might be a bit of a pain handing out credentials to the authorized applications though.
Whiteboard: u=dev c=makeAPI p=1 s=2013w16 → u=dev c=makeAPI p=1 s=2013w17
Adds basic Auth for the Create/Update/Delete routes. 

User/pass values are set up by env variables at run time. (see env.sample)
Attachment #739216 - Attachment is obsolete: true
Attachment #740469 - Flags: review?(swex)
Attachment #740469 - Flags: review?(jon)
:jbuck - It seems I'm late to the game on this one, but doens't having basic authentication for the MakeAPI reduce the impact of a single-sign on?
(In reply to Kieran Sedgwick (:sedge) from comment #9)
> :jbuck - It seems I'm late to the game on this one, but doens't having basic
> authentication for the MakeAPI reduce the impact of a single-sign on?

It shouldn't, C/U/D endpoint should only be used behind the scenes by our apps anyways, and searching can be completely public.
Comment on attachment 740469 [details] [review]
https://github.com/mozilla/MakeAPI/pull/25

There's two ways this could be done, you could either have one set of routes for Persona-authenticated users and one for basic authenticated servers or you could just assume that all updates to the makeAPI will be done through servers.

I'm okay with picking the latter for now, and supporting the Persona-authenticated route in the future.

r-, problems noted in the pull request.
Attachment #740469 - Flags: review?(swex)
Attachment #740469 - Flags: review?(jon)
Attachment #740469 - Flags: review-
(In reply to Jon Buckley [:jbuck] from comment #11)
> There's two ways this could be done, you could either have one set of routes
> for Persona-authenticated users and one for basic authenticated servers or
> you could just assume that all updates to the makeAPI will be done through
> servers.

I'm still curious what kind of system we could use to authenticate logged webmaker accounts.
Comment on attachment 740469 [details] [review]
https://github.com/mozilla/MakeAPI/pull/25

I've addressed all of your concerns.
Attachment #740469 - Flags: review- → review?(jon)
Blocks: 864942
Staged on Master: https://github.com/mozilla/MakeAPI/commit/5e9f2912e8481cc04f3638b1a3c9bb7e4968795f
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attachment mime type: text/plain → text/x-github-pull-request
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: