-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Archive Token from requests instead of setting #29
Conversation
…adme, remove ARCHIVE_TOKEN from settings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if we want to pass through the user's API token we need to think about it a bit more carefully. I don't think setting a global cache key is going to scale, unfortunately.
def __call__(self, request): | ||
token = request.headers.get('Authorization') | ||
if token: | ||
cache.set('archive_token', token, timeout=None) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this cache doesn't differentiate between users. What happens if one user sends a request to the backend, the token gets set, and then another user overwrites the token by sending a request? It seems hard/impossible to guarantee that the token will be set correctly per user, per request with possibly hundreds or thousands of requests coming in at once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked into it a bit and it seems like threading().local
might be an option to store it? I read online some people store the request in the local thread so its accessible throughout the app. Wondering on your thoughts if this could be a solution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than caching it, you can just place it in the request object so the things using it downstream have access to it. You can also just ignore using a middleware and get it out when you need it from the headers in the request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thing is, I use it in a util function called get_fits thats called basically everywhere, so we'd have to pass the request object to every function as an argument. So I was looking for a global scope to store it in, unless theres a way to access the request object from anywhere already? Putting it in local()
seems like a common thing people do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I would just pass it where it needs to go... I haven't used local stuff before but maybe that is okay too?
@@ -92,7 +92,7 @@ def get_archive_url(basename: str, archive: str = settings.ARCHIVE_API) -> dict: | |||
query_params = {'basename_exact': basename } | |||
|
|||
headers = { | |||
'Authorization': f'Token {settings.ARCHIVE_API_TOKEN}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's fine to have a super user archive token here. I don't think we necessarily need to set it per-user, as the UI will only be requesting images that the user has access to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The point of doing this is to have the users own token passed in so the permissions they have is enforced. Right now using a superuser token, anyone could manually make a datalab api request for data they don't have permissions for and get it, so its a security issue.
tested out threading local but its a little too much just to take care of having an auth token for archive requests. Theres going to a refactor of the data to create an ImageData class so this is better added to that as introducing that class will change a lot about how images are fetched and data worked on. |
Archive Token from Request
get_archive_url
bonus:
api/
treeWarning: When deploying this PR remember to remove the ARCHIVE TOKEN setting from the helm charts or wherever we populate settings