Security topic : Api Key and Signed urls

[luddaniel]

Hello @qqmyers and everybody, I was wondering about the security regarding the use of Api Key &key=xxx as query string of the url.
Understand that I just want to open the dialogue on this topic.

Api Key is required to use Direct DataFile Upload/Replace APIs but the security risk seems important to me; Non IT user may share this url or may keep browser history on a shared computer and give their level of access on Dataverse.

Security is important and this issue has been addressed for Dataverse External Tools with the option Signed URLs. I don't know if it's possible to use it right now but it might be an idea to work on this (maybe extend Dataverse Signed Url scope to more than only External Tools if it's not).

Here is a non-exhaustive list of benefits to consider :

• No security issues regarding accidental share of Api Key
• Limited authorised scope of api endpoints and time of use (a full day is safe enough)
• No issue regarding Api Key creation and expiration ("Your key is expired, you must renew it before use DVWL...")

What do you think ?
Best regards

[luddaniel]

To generate a Request Signed URL we need a superUser Api Key, so it seems not possible from DvWebLoader Javascript side.
An idea is to pre-generate the required Signed URLs from Dataverse UI > Dataset upload file tab and send it to DvWebLoader.

[qqmyers]

Yes, this would require changes to both Dataverse and the dvwebloader. The dvwebloader is essentially an external tool, but, because it is now hardwired into the download pane, it is not registered like an external tool and thus there's no place to configure which signedUrls the tool should get. That said, this would be relatively straight-forward to do when someone has the time/interest. (It would also be great to have all the previewers using signedUrls.)

FWIW: The examples for the DirectUpload API show use of an APIKey, but those calls, like the rest of the API, can be used with signedUrls as well.