Secure API for listing users and groups #338
Conversation
There was a problem hiding this comment.
Looks like you're trying to implement your own simple security protocol of "does the requesting client have the global secret key?". That doesn't seem very secure.
Can you comment on what makes this implementation secure? And why not just use Cognito since we already have that?
There was a problem hiding this comment.
Thanks for adding the code to support API keys!
I found a few problems, but the thing that's blocking my ability to do the review is I need confirmation for what part of the User model it's okay to return in the endpoint. I remember Bonnie said PracticeArea and ProgramArea are public in this comment.
| @@ -37,6 +38,8 @@ | |||
| router.register( | |||
| r"stack-element-types", StackElementTypeViewSet, basename="stack-element-type" | |||
| ) | |||
| router.register(r"apikey/getusers", ApiKeyUserViewSet, basename="apikey-getusers") | |||
| router.register(r"sdgs", SdgViewSet, basename="sdg") | |||
There was a problem hiding this comment.
Looks like a duplicate line got added here?
|
|
||
| # Quick-start development settings - unsuitable for production | ||
| # See https://docs.djangoproject.com/en/4.0/howto/deployment/checklist/ | ||
|
|
||
| # SECURITY WARNING: keep the secret key used in production secret! | ||
| SECRET_KEY = os.environ.get("SECRET_KEY") | ||
|
|
||
|
|
There was a problem hiding this comment.
Adding an extra blank line? Possibly a merging artifact?
| @@ -30,6 +30,7 @@ djangorestframework==3.14.0 | |||
| # via | |||
| # drf-jwt | |||
| # drf-spectacular | |||
| djangorestframework-api-key>=3.0 | |||
There was a problem hiding this comment.
We're using pip-compile (actually the uv version of it) to generate requirements.txt from requirements.in . You can add the dependency to requirements.in and run this command to generate requirements.txt.
docker-compose exec web uv pip compile requirements.in -o requirements.txt --no-header There's documentation on how to use it for upgrading dependencies. The command above is just missing the --upgrade flag.
| @@ -59,6 +60,7 @@ platformdirs==4.2.0 | |||
| # via black | |||
| pluggy==1.4.0 | |||
| # via pytest | |||
| pre-commit==3.7.1 | |||
There was a problem hiding this comment.
Why do you want to install pre-commit inside the docker container?
| queryset = PracticeArea.objects.all() | ||
| serializer_class = PracticeAreaSerializer # HasAPIKey checks against keys stored in |
There was a problem hiding this comment.
These 2 lines don't seem to do anything and they're soon replaced by the next 2 code lines of User objects and UserSerializer. Maybe you meant to remove them?
| queryset = User.objects.all() | ||
|
|
||
| # when instantiated, get_serializer_context will be called | ||
| serializer_class = UserSerializer |
There was a problem hiding this comment.
Are you sure you should be returning all the User data here rather than a subset that doesn't contain personally identifiable information (PII)?
What I mean is UserSerializer is exposing all the data.
I don't know if this PR is dependent on the user permission changes to somehow limit the exposed data fields, but the code right now will return all user table data, which doesn't seem like a good idea.
There was a problem hiding this comment.
This probably should have been settled in the planning stage of this feature rather than during the PR review.
To clarify further, the problem I see is this new API key authentication method allows the API client to view user data without any of the limitations that are applied to permission-tiered users.
These are the fields it returns for user:
fields = (
"uuid",
"username",
"created_at",
"updated_at",
"email",
"first_name",
"last_name",
"gmail",
"preferred_email",
"current_job_title",
"target_job_title",
"current_skills",
"target_skills",
"linkedin_account",
"github_handle",
"slack_id",
"phone",
"texting_ok",
"time_zone",
"groups",
)
I'm thinking that KnowledgeBase doesn't really need or care about a user's phone number to function.
So I think we need to consult the "permissions team" (@ExperimentsInHonesty @Neecolaa) to figure out/negotiate what data this should include based on what data KnowledgeBase requires to function.
This seems to mean adding more/duplicate work to the "permissions" team (@ExperimentsInHonesty and @Neecolaa) to define exactly what tables and fields this new method can allow an API client to access. Would it be better to say the API client has the same permissions as one of the already-defined user permissions tier such as unverifiedUser or stakeholder API? In that case, wouldn't it be simpler to just use a service account (special user account with the right permission level) instead?
For reference: here's the Field Permissions sheet being worked on currently.
Fixes #331
What changes did you make?
A new api secret-api/getusers lists users and the groups the users are assigned to. The API is authorized through an API key rather than user credentials.
Why did you make the changes (we will use this info to test)?
See issue #331 and see test_secret_api.py fir tests,