Evolve API authentication to omit it on endpoints intended to be open #9466
Assignees
Labels
Feature: API
NIH OTA: 1.7.1 (reArchitecture)
7 | 1.7.1 | Research & architecture for separating backend and frontend to enable a flexible, sca...
Size: 30
A percentage of a sprint. 21 hours. (formerly size:33)
User Role: API User
Makes use of APIs
Milestone
Comments
GPortas
added
Feature: API
User Role: API User
|
If we implement this we should probably follow up on this thread where we explained that |
GPortas
added
the
Size: 30
|
2023/09/25: Added to 6.1 milestone as per conversation during prioritization meeting. |
qqmyers
added a commit
to GlobalDataverseCommunityConsortium/dataverse
that referenced
this issue
Sep 25, 2023
also remove @AuthRequired per IQSS#9466
cmbz
added this to ▶ SPRINT READY
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
via automation
scolapasta
moved this from ▶ SPRINT READY
to This Sprint 🏃♀️ 🏃
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
scolapasta
moved this from This Sprint 🏃♀️ 🏃
to IQSS Team - In Progress 💻
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
|
The conversation in Slack that lead to this issue: https://iqss.slack.com/archives/C010LA04BCG/p1678391881465749 |
jp-tosca
removed this from IQSS Team - In Progress 💻
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
jp-tosca
added this to ▶ SPRINT READY
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
via automation
jp-tosca
moved this from ▶ SPRINT READY
to IQSS Team - In Progress 💻
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
pdurbin
added a commit
to jp-tosca/dataverse
that referenced
this issue
Nov 28, 2023
IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
automation
moved this from IQSS Team - In Progress 💻
to Done 🚀
Nov 28, 2023
scolapasta
moved this from Done 🚀
to IQSS Team - In Progress 💻
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
scolapasta
removed this from IQSS Team - In Progress 💻
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview of the Feature Request
After #9293 refactor, it has become more visible that there are endpoints that, despite being intended to be open, triggers user authentication, when it is not required.
This behavior already existed before the Auth Filter refactor, but it is now more visible by having the
@AuthRequiredannotation. Before the refactor, credential filtering was executed via theAbstractApiBean.response(DataverseRequestHandler hdl)method, which was called from several endpoints, a method which in turn called thefindUserOrDiemethod.These methods no longer exist, since the logic is now moved to the Auth Filter, and the same endpoints which used those methods now they are wrapped by the Auth Filter.
The goal of this issue is to simplify authentication by omitting the auth filter on endpoints that do not require user authentication. This makes the API code more understandable for developers and improves performance by bypassing the auth filter when it's not needed.
Example endpoint:
/api/info/version.What kind of user is the feature intended for?
API User, developers
What inspired the request?
Slack discussion about confusion when seeing endpoint
/api/info/versionmarked withAuthRequiredWhat existing behavior do you want changed?
API authentication
Any brand new behavior do you want to add to Dataverse?
No
Any open or closed issues related to this feature request?
The text was updated successfully, but these errors were encountered: