feat(debug): add APIs to allow forcing exceptions/prints/etc

[jansegre]

Unresolved questions:

• Should these endpoints only by added when enabled from the command line? (like --enable-debug-api)
• Is the prefix _debug/ OK? I wanted it to look as something clearly made for internal use, that's why the _
• Should these endpoints be registered to the openapi generator? I just added them without putting much thought into it, they're all missing the parameters supported and/or examples, like we have on other endpoints
• Is there any possibly useful functionality missing?

[codecov]

Codecov Report

Merging #277 (946e05d) into dev (7271e0c) will decrease coverage by 0.20%.
The diff coverage is 52.88%.

@@            Coverage Diff             @@
##              dev     #277      +/-   ##
==========================================
- Coverage   82.41%   82.21%   -0.21%     
==========================================
  Files         149      150       +1     
  Lines       14116    14220     +104     
  Branches     2014     2026      +12     
==========================================
+ Hits        11634    11691      +57     
- Misses       2065     2113      +48     
+ Partials      417      416       -1     

Impacted Files	Coverage Δ
hathor/debug_resources.py	52.88% <52.88%> (ø)
hathor/consensus.py	93.10% <0.00%> (ø)
hathor/p2p/node_sync.py	83.54% <0.00%> (+0.49%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7271e0c...946e05d. Read the comment docs.

[luislhl]

• Should these endpoints only by added when enabled from the command line? (like --enable-debug-api)

I think so, otherwise, if a full-node has its API exposed, someone will be able to crash it. Even with the possibility of blocking requests to the _debug path in another level, the default should be the safest option to avoid mistakes.

[jansegre]

• Should these endpoints only by added when enabled from the command line? (like --enable-debug-api)

I think so, otherwise, if a full-node has its API exposed, someone will be able to crash it. Even with the possibility of blocking requests to the _debug path in another level, the default should be the safest option to avoid mistakes.

Makes sense. I agree. Added --enable-debug-api now.

[pedroferreira1]

I think we should add more protections for those endpoints. We've discussed to allow --test-mode only with another parameter --unsafe-mode. Maybe we should do the same here.

I am especially worried about the last two endpoints, the one that exit the full node and corrupts the database and the other that sets storage to None. We have to make sure none of our public nodes have those endpoints available (even if it's private, we need to make sure we won't call this API by mistake in our wallets/explorer nodes).

What do you think?

About the API docs, I like having it, I think this should be as complete as possible, but maybe the public docs could have only the public endpoints, I don't know.

[jansegre]

I think we should add more protections for those endpoints. We've discussed to allow --test-mode only with another parameter --unsafe-mode. Maybe we should do the same here.

I am especially worried about the last two endpoints, the one that exit the full node and corrupts the database and the other that sets storage to None. We have to make sure none of our public nodes have those endpoints available (even if it's private, we need to make sure we won't call this API by mistake in our wallets/explorer nodes).

What do you think?

I'm not sure. I think --enable-debug-api and --unsafe-mode --enable-debug-api are just as likely to be enabled by mistake. If we do decide to add a --unsafe-mode for --test-mode, it makes sense to include this parameter and maybe others, but I think we should discuss the --unsafe-mode separately.

About the API docs, I like having it, I think this should be as complete as possible, but maybe the public docs could have only the public endpoints, I don't know.

I agree. Currently I can either register the endpoints or not. Do you think it's worth it to add a mechanism to selectively register endpoints so we can optionally generate a full API doc? Or do you think it's enough for the class to have the OpenAPI description but simply not register it? @pedroferreira1

[pedroferreira1]

If we do decide to add a --unsafe-mode for --test-mode, it makes sense to include this parameter and maybe others, but I think we should discuss the --unsafe-mode separately.

Agree

Do you think it's worth it to add a mechanism to selectively register endpoints so we can optionally generate a full API doc? Or do you think it's enough for the class to have the OpenAPI description but simply not register it?

I think it's enough for now just not to register it.