-
-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API: I can query the graphql and possible rest api endpoints without providing an api key #3817
Comments
@waptik : Thanks for opening the issue; I've just verified the issue as well. And I opened a PR with your suggested fix. Thanks a lot. 👍🏽 |
@SudharakaP You're welcome. I'm glad I could help. |
Thank you for the report. We're letting people use our API without API key on purpose. It's a better developer experience to test it! We're however enforcing strong rate limiting in this case, 10 requests / minute / ip address maximum. Using an App Key:
|
Oh I see. I guess it wasn't a bug, so the PR @SudharakaP opened wasn't needed after all. |
Describe the bug
Today I came across a bug that allow anyone to query both v1 and v2 of the graphql endpoints.
I wasn't sure if it was a bug or not but after getting a reply, i decided to open a bug report and provide a possible fix.
Per my understanding this line is responsible for allowing any provided api key to proceed with its operations as long as its an internal apiKey/clientId or a valid one from a collective.
But https://github.com/opencollective/opencollective-api/blob/master/server/middleware/authentication.js#L358 doesn't return an error when an api key is not provided which allows anyone to use both graphql endpoints even if an api key is not provided.
So I'm pretty sure that rest api endpoints defined in https://github.com/opencollective/opencollective-api/blob/master/server/routes.js as well can be used without an api key.
To Reproduce
Steps to reproduce the behavior:
For v1:
https://api.opencollective.com/graphql
as your endpointFor v2:
https://api.opencollective.com/graphql/v2
as your endpointExpected behavior
When an api key is not provided, all requests should not proceed but instead display an error message such as:
As of writing this, that's not the case.
Screenshots
Here are some screenshots for both graphql endpoints when an api key is provided and when it is not provided.
Desktop (please complete the following information):
Additional context
A possible fix would be replacing the code found at https://github.com/opencollective/opencollective-api/blob/master/server/middleware/authentication.js#L358 with the one below:
The text was updated successfully, but these errors were encountered: