Open Bug 905672 Opened 11 years ago Updated 3 years ago

mozillians.org REST API should support CORS

Categories

(Participation Infrastructure :: Phonebook, defect)

Product:
Participation Infrastructure
Component:
Phonebook
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

People

(Reporter: bwalker, Unassigned)

References

Details

(Whiteboard: [Triage 2015-04-17] [iam-RFE]) 

The phonebook API as documented at https://wiki.mozilla.org/Mozillians/API-Specification should support CORS
Blocks: 902008
This change would allow a variety of new applications of Mozillians data, and is worth serious consideration. Implementing it would require changes to our API access controls. Currently they require an application-specific secret key that grants complete access to mozillians.org data. But if we support client-side applications, we will have to build better ways to guard the data since in that scenario the secret key will be present on every client device. Ideas for this are welcome!
This is a relatively easy change, but as hoosteeno mentioned, we use api keys to restrict access to the api and those obviously can't be distributed to clients.

Our current privacy restrictions for the API make it hard to allow access to clients because the API is intentionally more restricted than the 'vouched mozillian' access level, so we can't simply add username/password authorization or something like that.

Whether we can reduce these restrictions or not depends on what sort of data you're looking to pull for a client side app. We could add public or username/password authorization for certain API functions, though the ones that pull full user data based on search terms are probably off limits, unless you can convince the privacy team to relax these restrictions, I suppose.
(In reply to Andrei Hajdukewycz [:sancus] from comment #2)
> This is a relatively easy change, but as hoosteeno mentioned, we use api
> keys to restrict access to the api and those obviously can't be distributed
> to clients.
> 

Hi Andrei, I agree the current API keys don't seem like a good match for my use case. From the vantage point of building single-page mobile web apps, the ability to access this kind of data from the client is very powerful, so I'd really encourage you to look for a way to enable client-side access to this data.

thanks,
-Bill
It's mostly a policy restriction, not a technical one. We'll have to see if we can get the policy re-evaluated.
:bwalker, could you work with the summit mobile experience team to devise a list of data (or better, endpoints) that you'd like to access on the client? So far I know about...

'Show me all unique cities in Mozillians.org'

I will be glad to open conversations with the privacy and developer teams about the feasibility of creating new endpoints that are either public (if we only need to provide aggregate data such as the above) or authenticated (if we need to provide identifying information).
Flags: needinfo?(bwalker)
This is no longer required for the summit experience. Still a good roadmap bug.
No longer blocks: 902008
OS: Mac OS X → All
Hardware: x86 → All
(In reply to Justin Crawford [:hoosteeno] from comment #5)
> :bwalker, could you work with the summit mobile experience team to devise a
> list of data (or better, endpoints) that you'd like to access on the client?
> So far I know about...
> 
> 'Show me all unique cities in Mozillians.org'
> 
> I will be glad to open conversations with the privacy and developer teams
> about the feasibility of creating new endpoints that are either public (if
> we only need to provide aggregate data such as the above) or authenticated
> (if we need to provide identifying information).

Justin,

I think we discussed all this in our phone conversation, do you have notes you could paste in here?
Flags: needinfo?(bwalker)
We're working on bug 908702 which captures our conversation related to Summit-supporting API endpoints.
No longer blocks: APIv2
I think as a stop gap - we could have a public data key or give clients a session?
Blocks: Mozillians.next
Whiteboard: [Triage 2015-04-17]
Blocks: APIv2
Whiteboard: [Triage 2015-04-17] → [Triage 2015-04-17] [iam-RFE]
You need to log in before you can comment on or make changes to this bug.