Originally on 2011-09-02
Our Indico colleagues recently added support for signed API usage, based on:
Our Indico friends implemented it in this way:
and we might therefore follow the same principles in order to have client code developers to reuse their code.
Note that this idea has already a first use case in the form of a Drupal module to push records to Invenio
Originally on 2011-09-20
Possible table structure to have would be:
This task actually affects also the WebSession module.
As part of this task, the /youraccount/edit interface should be extended to allow a user to request for a new couple of system generated key and secret. They user might have as many key/secret as he needs and should be able to provide a sensible description in order to distinguish them.
An admin interface should be used in order to monitor key usage WRT certain configurable policies. Keys that are used without respecting a policy can be revoked by this interface.
An example of policy might be that a certain API can be used only with a maximum frequency. Rules might be built taking into consideration roles, so that we can say e.g. the search API can be queried every 0.5 seconds by users in the role searchmasters.
A BibTask(let) can be introduced that will periodically scan the key_log table and rank key usage and match it against policies. This task would send warning emails and e.g. store in the status column of the key table a progressive WARNING level (e.g. WARNING1, WARNING2, WARNING3) so that the admin can immediately see which users are actually abusing the service.
The actual authentication phase, based on API keys would happen at the level of the webinterface_handler module, and a valid usage of a key and signature would result in correctly set the current user uid to the owner of the key.
Originally by Esteban J. G. Gabancho firstname.lastname@example.org on 2012-08-20
#CommitTicketReference repository="" revision="771fcecf352a0e604135d9c89845d45c85f08f42"
WebApiKey: initial release
- Initial release of the user-signed Web API key facility.
- Adds an admin interface to view/edit user's Web API keys.
Originally by Esteban J. G. Gabancho email@example.com on 2012-08-23