Add API Token Auth restrictions on GET APIs #3470
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @carols10cents (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
|
Also, I would like to call out that since the tests do not match the structure of the code is was painful to find existing tests and where to add new tests to. |
jakeswenson
force-pushed
the
restrict-api-token-access-on-GET-requests
branch
from
31c4d05 to
64a326e
Compare
|
We discussed this in the weekly meeting, and agreed to allow authenticated requests on the two endpoints you allowed in this PR! Someone will review the actual implementation soon :) |
|
☔ The latest upstream changes (presumably #3403) made this pull request unmergeable. Please resolve the merge conflicts. |
jakeswenson
force-pushed
the
restrict-api-token-access-on-GET-requests
branch
from
64a326e to
0dc2c42
Compare
jakeswenson
force-pushed
the
restrict-api-token-access-on-GET-requests
branch
from
0dc2c42 to
894460f
Compare
|
Thanks for the PR! @bors r+ |
|
📌 Commit 894460f has been approved by |
|
☀️ Test successful - checks-actions |
Forbid token auth on `/me` endpoint This prohibits access to the `/api/v1/me` endpoint via an API token. I'd like to merge and deploy this before moving forward on rust-lang/simpleinfra#43, which would expose this endpoint. (Previous lockdown work was done in #3470.) The second commit ensure that the user is only authenticated on the search endpoint when querying for followed crates. r? `@pietroalbini`
7 participants
This PR adds explicit denial of API token authentication on most GET APIs.
Currently, CloudFront was never passing along the
Authorizationheader forGETrequests.(See rust-lang/simpleinfra#43 for more details.)
In addressing that issue it was pointed out that there may be GET APIs that the team might not want to commit to allowing API tokens access to.
This PR attempts to limit the exposed APIs to:
/api/v1/crates?following=1(the crates "search" API, which is the only way to get the list of crates a user is following.)/api/v1/me