Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug or feature? - Invalid api token results in access denied to public objects #10070

Closed
landreev opened this issue Oct 30, 2023 · 14 comments · Fixed by #10127
Closed

Bug or feature? - Invalid api token results in access denied to public objects #10070

landreev opened this issue Oct 30, 2023 · 14 comments · Fixed by #10127
Assignees
@jp-tosca
Labels
Feature: API Size: 3 A percentage of a sprint. 2.1 hours.
Milestone
6.1

Comments

@landreev
Copy link
Contributor

I can see how one can argue that this is the correct behavior. But at the very least, this appears to have been an undocumented change in behavior. We noticed that sometime between 5.9 and 6.0 /api/access/datafile/...?key=null started to result in a 403 on a public file, so many features in Data Explorer v2 are not working in 6.0 because that's what it sends underneath.
@pdurbin
Copy link
Member

pdurbin commented Oct 30, 2023

this appears to have been an undocumented change in behavior

I propose we start an API changelog for these:

Here's the related issue on the Data Explorer v2 side:

@cmbz cmbz added this to the 6.1 milestone Oct 31, 2023
@cmbz cmbz moved this to SPRINT- NEEDS SIZING in IQSS Dataverse Project Oct 31, 2023
@cmbz
Copy link

cmbz commented Oct 31, 2023

2023/10/31: as per exchange with @scolapasta I have added the issue to the Global Backlog for sizing. I labeled it "Feature: API" although it's somewhat more of a bug than feature.

@landreev landreev mentioned this issue Nov 1, 2023
Open
@cmbz
Copy link

cmbz commented Nov 6, 2023

2023/11/6: Group discussion following the standup suggests that we need to decide on a strategy before sizing. Either 1) simply document the behavior so that applications that assume they can send inauthentic tokens for public datasets are alerted, or 2) modify the behavior itself, which requires development. I'm not certain who should decide: @landreev, @pdurbin, or @scolapasta can someone weigh in and decide next steps?

@qqmyers
Copy link
Member

qqmyers commented Nov 6, 2023

+1 to document and fail when bad tokens are sent

@landreev
Copy link
Contributor Author

landreev commented Nov 6, 2023

I too vote +1 for sticking with the current behavior, while documenting it in the guide and in the next release note.
I'm happy to point any other instance that runs into this problem with the Explorer v2 to the local issue where I documented the apache rewrite line that fixes it. But then it's probably safe to assume that it will be fixed in the Explorer very soon too.

@pdurbin
Copy link
Member

pdurbin commented Nov 6, 2023

+1 to the above. Let's also add a test asserting the current behavior.

@landreev
Copy link
Contributor Author

landreev commented Nov 6, 2023

... an extra +1 for adding a test. Could still be a 3 (?).

@scolapasta
Copy link
Contributor

+1 let's go with this approach

@scolapasta scolapasta added the Size: 3 A percentage of a sprint. 2.1 hours. label Nov 15, 2023
@scolapasta scolapasta moved this from SPRINT- NEEDS SIZING to Clear of the Backlog in IQSS Dataverse Project Nov 15, 2023
@jp-tosca jp-tosca self-assigned this Nov 15, 2023
@jp-tosca
Copy link
Contributor

Are there any other changes to the API that would be good to include on this?

I made this quickly just so we can have some input, I was thinking of adding this at the top of the guide and with a format similar to this:

image

@scolapasta @pdurbin @cmbz

Didn't want to ping everyone but feel free to let me know if I should ping someone else.

@jp-tosca
Copy link
Contributor

@scolapasta mentioned yesterday it was only documentation but, @pdurbin, @landreev mentioned a test. Should I also work on that?
😃

@pdurbin
Copy link
Member

pdurbin commented Nov 16, 2023

My main feedback is that instead of a date, it should be a version. Note that Leonid said above, "We noticed that sometime between 5.9 and 6.0."

Also, I'd put the changelog lower down, maybe even the last page (after the FAQ).

@jp-tosca
Copy link
Contributor

jp-tosca commented Nov 17, 2023
edited
Loading

Hi, @landreev just wanted to check with you since you created this thread. In your initial comment, you mention that is a 403 but with the testing I have done I am getting a 401, just wanted to check I am looking at the right thing.

Also, there is already a test in place so probably will just have to modify AccessIT to add this condition.

image

@jp-tosca jp-tosca mentioned this issue Nov 17, 2023
Merged
pdurbin added a commit to jp-tosca/dataverse that referenced this issue Nov 17, 2023
@pdurbin
fix bullet IQSS#10060 IQSS#10070
2433114
@jp-tosca jp-tosca moved this to Clear of the Backlog in IQSS Dataverse Project Nov 17, 2023
@luddaniel
Copy link
Contributor

We are currently preparing the migration to v5.14 from v5.12.1 and we jumped on the same issue, so thank you for all the investigation and work done to resolve it.

Here are some additional information for the changelog.rst of PR #10127 :

This issue is related to the commit : e8163b v5.14

If you understand Java, here is the explanation :

@AuthRequired will fill ContainerRequestFilter via AuthFilter
AuthFilter.filter function will try to find the authentication mechanism if there is one and when ApiKeyAuthMechanism.findUserFromRequest calls ApiKeyAuthMechanism.getRequestApiKey it will retrieve a String "null" for key=null and the code will throw new WrappedAuthErrorResponse(RESPONSE_MESSAGE_BAD_API_KEY); ("Bad API key")

This code is completely okay, I join you all on the idea of keep it that way and fix it in Data Explorer v2 scholarsportal/dataverse-data-explorer-v2#29
Maybe @AuthRequired is too much because checkAuthorization(getRequestUser(crc), df); will give you a granted access as long as the file is released, non restricted, not embargoed.

We decided to implement RewriteRule also but faced a weird case where key=null appears 2 times key=null&variables=v289,v290&apikey=nulleable&key=null
So our RewriteRule uses N flag to repear the removal of key=null

RewriteCond %{QUERY_STRING} ^(.+?&|)key=null(?:&(.*)|)$ [NC]
RewriteRule ^ %{REQUEST_URI}?%1%2 [N,R]

Regards

@stevenferey
Copy link
Contributor

For information, we have adapted the rule to handle a case generating an error:Downloading "Tab-delimited file" from DataExplorer. Generated URL is &key=null

RewriteCond %{QUERY_STRING} ^(.*?&|)key=null(?:&(.*)|)$ [NC]
RewriteRule ^ %{REQUEST_URI}?%1%2 [N,R]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jp-tosca jp-tosca

Labels
Feature: API Size: 3 A percentage of a sprint. 2.1 hours.
Projects
IQSS Dataverse Project
Status: No status
Milestone
6.1
Development

Successfully merging a pull request may close this issue.

Add condition for 401 on invalid key and changelog on API Guide jp-tosca/dataverse
8 participants
@pdurbin @landreev @scolapasta @qqmyers @stevenferey @cmbz @luddaniel @jp-tosca