Page MenuHomePhabricator

POST ElectronPdf extension service key rather than get
Closed, DeclinedPublic

Description

  • If the api key for the electron service is supposed to stay secret, it would be better to do a POST request with the key in the post body, as that way it is much less likely to end up in log files.

Event Timeline

Addshore created this task.Nov 2 2016, 8:57 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2016, 8:57 AM
Tobi_WMDE_SW moved this task from Proposed to Todo on the WMDE-QWERTY-Team board.Nov 2 2016, 10:09 AM

By looking at the API documentation and playing with POST requests I could not find a way to send the accessKey via POST.
@GWicke is there a way to do this for the test instance at https://pdf-electron.wmflabs.org/?

GWicke added a comment.EditedNov 7 2016, 3:28 PM

@Tobi_WMDE_SW, we will provide a public REST API end point that you should send user requests to. Don't worry about using the electron service directly in production.

For testing, there is no need to keep the accesskey secret. Either way, requests will be simple GETs.

@GWicke thx! OK, we'll then fine for now and will change the extension once the public REST API is in place.

Bawolff added a subscriber: Bawolff.Nov 7 2016, 3:46 PM

The POSTing the api key is not super important. It does make it much less likely for the key to be accidentally disclosed (via logs or whatever), but ultimately the security of the key isn't super important given what it is protecting, so if this issue is difficult to do, I think its ok to skip.

@Bawolff, the public API won't need any access key.

GWicke added a comment.EditedNov 7 2016, 3:50 PM

@Tobi_WMDE_SW, just to make sure we are on the same page: Will you directly link to the REST API URL, so that Varnish caching can do its work? We shouldn't proxy this through PHP without a good reason.

@GWicke yeah, I think that's the plan.

WMDE-Fisch closed this task as Declined.Nov 8 2016, 1:24 PM
WMDE-Fisch added a subscriber: WMDE-Fisch.

See discussion above.

Tobi_WMDE_SW moved this task from Todo to Done on the WMDE-QWERTY-Team board.Nov 8 2016, 1:24 PM
Tobi_WMDE_SW moved this task from Done to Demoed on the WMDE-QWERTY-Team board.Nov 8 2016, 3:53 PM