-
Notifications
You must be signed in to change notification settings - Fork 968
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict Security Policies based on route type #13854
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, seems like a reasonable approach.
My one hesitation is around naming - is_api
seems to encompass authentication behaviors, rather than a property of the route itself.
We create more than a few APIs - but not all have the same authentication method, so maybe we need a better name for this.
Prior art from Django Rest Framework combines two ideas to accomplish this - APIView
and permission_classes
- https://www.django-rest-framework.org/api-guide/authentication/#setting-the-authentication-scheme
If the intent is to retire request.is_api
once we remove basic_auth, then go for it
I think that all of our APIs technically take the same authentication methods OR they are unauthenticated (and so the authentication methods don't matter anyways). This is mostly a "gimme" though, because the only API that actually takes authentication currently is the upload API :)
I don't think we'd retire I avoided anything that was associated with the view rather than the route for a few reasons:
It is kind of crummy that the definition of what AuthN methods for a view is located away from the view itself, but I think it's basically a trade off between making sure that With regards to a boolean "Is API" vs "Takes These Authentication Methods", my thinking is:
That being said, that's two people who have pushed back on |
I landed here based on a comment in
The two features will both leverage a fuller, client-accessible JSON-only API, so ensuring that those features are protected with the right security policies are paramount (as the actual functional logic, at least for yanking will likely be pretty simple). Since this PR is now over a year old, I'm looking for guidance for API security policies. |
Provides a mechanism to tag whether a route is an "API" route or not. The effects of tagging a route as an API route is that session basic authentication will no longer work on that route, but Basic and Macaroon authentication will.
Also adds a
request.is_api
attribute that indicates if the current request is an API request or not.Currently the only route we tag as an API route is the upload API.
Fixes #7266