Open
Bug 905672
Opened 11 years ago
Updated 3 years ago
mozillians.org REST API should support CORS
Categories
(Participation Infrastructure :: Phonebook, defect)
Participation Infrastructure
Phonebook
Tracking
(Not tracked)
NEW
People
(Reporter: bwalker, Unassigned)
References
Details
(Whiteboard: [Triage 2015-04-17] [iam-RFE])
The phonebook API as documented at https://wiki.mozilla.org/Mozillians/API-Specification should support CORS
Comment 1•11 years ago
|
||
This change would allow a variety of new applications of Mozillians data, and is worth serious consideration. Implementing it would require changes to our API access controls. Currently they require an application-specific secret key that grants complete access to mozillians.org data. But if we support client-side applications, we will have to build better ways to guard the data since in that scenario the secret key will be present on every client device. Ideas for this are welcome!
Comment 2•11 years ago
|
||
This is a relatively easy change, but as hoosteeno mentioned, we use api keys to restrict access to the api and those obviously can't be distributed to clients. Our current privacy restrictions for the API make it hard to allow access to clients because the API is intentionally more restricted than the 'vouched mozillian' access level, so we can't simply add username/password authorization or something like that. Whether we can reduce these restrictions or not depends on what sort of data you're looking to pull for a client side app. We could add public or username/password authorization for certain API functions, though the ones that pull full user data based on search terms are probably off limits, unless you can convince the privacy team to relax these restrictions, I suppose.
Reporter | ||
Comment 3•11 years ago
|
||
(In reply to Andrei Hajdukewycz [:sancus] from comment #2) > This is a relatively easy change, but as hoosteeno mentioned, we use api > keys to restrict access to the api and those obviously can't be distributed > to clients. > Hi Andrei, I agree the current API keys don't seem like a good match for my use case. From the vantage point of building single-page mobile web apps, the ability to access this kind of data from the client is very powerful, so I'd really encourage you to look for a way to enable client-side access to this data. thanks, -Bill
Comment 4•11 years ago
|
||
It's mostly a policy restriction, not a technical one. We'll have to see if we can get the policy re-evaluated.
Comment 5•11 years ago
|
||
:bwalker, could you work with the summit mobile experience team to devise a list of data (or better, endpoints) that you'd like to access on the client? So far I know about... 'Show me all unique cities in Mozillians.org' I will be glad to open conversations with the privacy and developer teams about the feasibility of creating new endpoints that are either public (if we only need to provide aggregate data such as the above) or authenticated (if we need to provide identifying information).
Flags: needinfo?(bwalker)
Comment 6•11 years ago
|
||
This is no longer required for the summit experience. Still a good roadmap bug.
Reporter | ||
Comment 7•11 years ago
|
||
(In reply to Justin Crawford [:hoosteeno] from comment #5) > :bwalker, could you work with the summit mobile experience team to devise a > list of data (or better, endpoints) that you'd like to access on the client? > So far I know about... > > 'Show me all unique cities in Mozillians.org' > > I will be glad to open conversations with the privacy and developer teams > about the feasibility of creating new endpoints that are either public (if > we only need to provide aggregate data such as the above) or authenticated > (if we need to provide identifying information). Justin, I think we discussed all this in our phone conversation, do you have notes you could paste in here?
Flags: needinfo?(bwalker)
Comment 8•11 years ago
|
||
We're working on bug 908702 which captures our conversation related to Summit-supporting API endpoints.
Comment 10•10 years ago
|
||
I think as a stop gap - we could have a public data key or give clients a session?
Updated•9 years ago
|
Blocks: Mozillians.next
Whiteboard: [Triage 2015-04-17]
Updated•3 years ago
|
Whiteboard: [Triage 2015-04-17] → [Triage 2015-04-17] [iam-RFE]
You need to log in
before you can comment on or make changes to this bug.
Description
•