Issues when configuring blocked API endpoint policy

**What steps does it take to reproduce the issue?**

While configuring blocked API endpoints today, I ran into two issues:

1. The documentation gives example values for `dataverse.api.blocked.endpoints` that start with `api/`:

   <img width="1026" height="302" alt="Image" src="https://github.com/user-attachments/assets/4f3c9b9d-8488-4562-9070-1d6c927fe9ef" />

   See https://guides.dataverse.org/en/6.8/installation/config.html#dataverse-api-blocked-endpoints

   However, when I set `DATAVERSE_API_BLOCKED_ENDPOINTS=api/admin,api/builtin-users` the endpoints were still unblocked and freely accessible.

   I had to set  `DATAVERSE_API_BLOCKED_ENDPOINTS=admin,builtin-users`.

   From looking at the code, I guess it makes sense, because it seems to me that the handling of the config values doesn't differ depending on if the config value comes from the [old deprecated DB setting](https://guides.dataverse.org/en/6.8/installation/config.html#blockedapiendpoints-deprecated) or the new JVM setting...

   https://github.com/IQSS/dataverse/blob/15f7b0d6df8cbd3a5bbed56e7bbb0621e113ee6b/src/main/java/edu/harvard/iq/dataverse/api/filter/ApiBlockingFilter.java#L91-L92

   https://github.com/IQSS/dataverse/blob/15f7b0d6df8cbd3a5bbed56e7bbb0621e113ee6b/src/main/java/edu/harvard/iq/dataverse/api/filter/ApiBlockingFilter.java#L111

   ..and the old setting docs give an example without `/api`.

   <img width="842" height="41" alt="Image" src="https://github.com/user-attachments/assets/b5d2a5ff-1a7e-4419-b6e1-dcb57e2d0090" />

   So it seems to me that the JVM setting documentation isn't correct...?

2. I received log warnings about my unblock key being weak, but I think it's an error in the code.

   https://github.com/IQSS/dataverse/blob/15f7b0d6df8cbd3a5bbed56e7bbb0621e113ee6b/src/main/java/edu/harvard/iq/dataverse/api/filter/ApiBlockingFilter.java#L107-L109

   https://github.com/IQSS/dataverse/blob/ba35f992a30cc63f14f8144bb9fa611719337134/src/main/java/edu/harvard/iq/dataverse/validation/PasswordValidatorServiceBean.java#L146

   If the length of the list returned by `validate` is 0, it means there were no errors, so the key is fine and not weak, right?


**Which version of Dataverse are you using?**

6.8, but I checked and the issues seem to apply to current develop branch as well

**Any related open or closed issues to this bug report?**

Didn't find any

**Are you thinking about creating a pull request for this issue?**
Help is always welcome, is this bug something you or your organization plan to fix?

Sure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issues when configuring blocked API endpoint policy #12232

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	endpointList = jvmEndpointList
	.orElse(settingsService.getValueForKey(SettingsServiceBean.Key.BlockedApiEndpoints, ""));

	} else if (passwordValidatorService.validate(key).size() == 0) {
	logger.warning("Weak unblock key detected. Please use a stronger key for better security.");
	}

Issues when configuring blocked API endpoint policy #12232

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions