Time
S
Nick
Message
09:11 bencomp joined #dataverse
10:56 bencomp joined #dataverse
15:16 axfelix joined #dataverse
19:03 garnett joined #dataverse
19:06 garnett joined #dataverse
20:17 michbarsinai joined #dataverse
20:18 michbarsinai
Phil?
20:24 pdurbin
michbarsinai: hi!
20:24 michbarsinai
Hello! I'm trying to work on https://github.com/IQSS/dataverse/issues/1818
20:25 trobitaille joined #dataverse
20:25 michbarsinai
Where we give the user's API token out
20:25 michbarsinai
They want a JSON endpoint, but
20:25 pdurbin
yep
20:25 pdurbin
they sure do :)
20:25 trobitaille
pdurbin - quick question, when I try and use the search API on the dataverse-demo.iq.harvard.edu server I get b'{ status:"error", message:"Endpoint available from localhost only. Please contact the dataverse administrator"}\n'
20:25 trobitaille
would it be possible to enable that, or is it disabled for security reasons?
20:26 michbarsinai
(1 sec) It's very much a GET request. So no body, and not JSON
20:26 pdurbin
trobitaille: a fix for that will go out with the next push. sorry
20:26 pdurbin
trobitaille: guess what. michbarsinai is here to talk about giving our API keys for exisiting users :)
20:26 pdurbin
(the ticket you opened)
20:26 trobitaille
pdurbin - great to both things!
20:26 trobitaille
:)
20:26 trobitaille
thanks!
20:27 michbarsinai
Would they mind if we use query params as in username=U&password=p?
20:27 pdurbin
michbarsinai: let's ask trobitaille
20:27 michbarsinai
And, if by "they" I actually mean trobitaille, that's even better
20:27 michbarsinai
trobitaille?
20:27 pdurbin
michbarsinai: what if you sent the username and password with http basic auth?
20:27 pdurbin
over https of course
20:27 trobitaille
Sorry, just having a think - if it's passed as a GET request then they would be passed in clear, correct?
20:27 pdurbin
that's how sword works
20:28 michbarsinai
brb
20:28 pdurbin
trobitaille: yes, all this would be in the clear
20:28 pdurbin
well
20:28 pdurbin
it would be over https
20:28 pdurbin
so *not* in the clear
20:28 pdurbin
but you'd pass your actual password
20:28 pdurbin
over https
20:29 pdurbin
but michbarsinai is asking if you'd rather pass query parameters or something else
20:29 trobitaille
it's not 'clear' to me (no pun intended) but I don't *think* the URL itself is encrypted though right?
20:29 pdurbin
something else could be http basic auth
20:29 trobitaille
just need to check
20:29 trobitaille
back in 2 min
20:30 trobitaille
ah sorry I guess I was wrong, URL is still encrypted
20:30 trobitaille
when over https
20:31 trobitaille
so query params would be fine for me, checking if basic auth would also be ok
20:31 trobitaille
Basic auth is also fine, requests supports it: http://docs.python-requests.org/en/latest/user/authentication/
20:31 trobitaille
tht's what I was checking :)
20:31 trobitaille
so to me it doesn't really matter
20:31 pdurbin
michbarsinai: should we support both? that's what redmine does
20:32 pdurbin
they support three ways: http://www.redmine.org/projects/redmine/wiki/Rest_api#Authentication
20:33 michbarsinai
back
20:34 pdurbin
michbarsinai: want to support all three ways? :)
20:34 michbarsinai
given the fact that it's 23:34 here, one way would be good enough for 4.0. 4.0.1 can have 5 :-)
20:34 michbarsinai
Looking into it, though. May be easy
20:34 pdurbin
trobitaille: you get to pick :)
20:35 trobitaille
(thinking, will be quick!)
20:35 michbarsinai
That's not really 3 ways, though. It's basically API key or basic auth
20:36 trobitaille
which one is faster to implement?
20:36 michbarsinai
The key can pass via a param, a username in baisc auth and a special X-Redmine-API -Key header
20:36 michbarsinai
So, they have 2 ways, really, keyand auth
20:36 michbarsinai
key and auth
20:37 trobitaille
there's two things though
20:37 michbarsinai
easyest would be query params. I think it's also the most http-like, since we don't really do basic auth here
20:37 trobitaille
you could support basic auth for all requests in general instead of key
20:37 trobitaille
but here we're just taking about *getting* the key right?
20:37 michbarsinai
That's not happening tonight :-)
20:38 trobitaille
My situation is the users will have only username and password so if I can pass both as query params and get the key back, I'm happy
20:38 michbarsinai
Yes. The main issue was that the GitHub issue said "JSON endpoint", but that's a GET request, so no body
20:38 trobitaille
ahh ok, sorry, got terminolgy confused
20:39 michbarsinai
Great. The answer will be in json, probably { status:"ok", data:"api-key-goes-here"}
20:39 trobitaille
yes, perfect!
20:39 trobitaille
also could have a similar API to create key if doesn't already exist
20:39 michbarsinai
Lovely. I'm on it.
20:39 trobitaille
(or could be an extra bool param)
20:39 trobitaille
ok thanks!
20:40 michbarsinai
You'll always get a key for a built in user, on creation time. Not sure about other users, as this may create security loophopes
20:40 michbarsinai
loopholes
20:40 trobitaille
as a side note, I'm implementing a simple JSON -based Python API here: https://github.com/astrofrog/pyverse/blob/master/pyverse.py - though once I have a better handle on it I can try and see how it could fit in to the exiting client code and do a PR
20:41 trobitaille
michbarsinai - ah right yes, that makes sense
20:49 trobitaille
michbarsinai pdurbin - once again, thanks for your help!
20:49 michbarsinai
Our pleasure!
21:00 michbarsinai
Phil, I'll need to change the users api point, I think, to "builtin-users"
21:01 michbarsinai
or, we could go with users/builtin/username (as in users/{provider}/{user provider id}
21:12 michbarsinai
…or not… nevermind
21:26 pdurbin
michbarsinai: nevermind? :)
21:27 michbarsinai
I thought I can leave it, but that would be wrong. I'm refactoring it to builtin-users
21:27 michbarsinai
Should have done that long time ago
21:28 pdurbin
michbarsinai: well hold on. A shib user can have an API key.
21:29 michbarsinai
True, but we won't be able to get it via username and password from us anyway
21:29 pdurbin
touche :)
21:30 michbarsinai
Still a valid case, though :-/
21:30 michbarsinai
Oh well. Let's serve our builtins first
21:30 pdurbin
I guess the rule is... to log into Dataverse via Shib you *must* use a web browser. Unless someone can figure out how to do it with curl. :)
21:31 michbarsinai
Hmmmmmm… now that would make Marlena happy
21:32 michbarsinai
Just tweet that it's possible, wait 10 mins and claim it's an April Fools joke
21:32 pdurbin
heh
21:32 pdurbin
maybe it *is* possible. I don't know
21:32 michbarsinai
It should be, It's just HTTP calls, right? Dunno
21:35 michbarsinai
OK. Pushed, new api endpoint and all. I'll let Gustavo know and call it a day.
21:36 pdurbin
michbarsinai: I just let him know. Get some sleep!
21:38 michbarsinai
I'll try… just remembered I've got to config the router to get Netflix (it's blocked outside the US so there are DNS tricks…)
21:38 pdurbin
ah
21:38 pdurbin
I'm running my tests.
21:38 pdurbin
uh oh
21:38 pdurbin
stuff breaking
21:39 pdurbin
michbarsinai: ^^
21:39 michbarsinai
which stuff?
21:40 pdurbin
michbarsinai: https://github.com/IQSS/dataverse/blob/master/scripts/search/create-users
21:41 michbarsinai
no way, I've just tested that
21:41 pdurbin
looks like s/users/builtin-users/ should fix it
21:41 michbarsinai
Oh, not that, sorry. Only stuff in /api/
21:41 michbarsinai
that should fix it, yes
21:41 michbarsinai
tell me how it goes, before I reconfig my router :-)
21:42 pdurbin
will know soon
21:44 pdurbin
michbarsinai: yep. good fix. pushed: update for new builtin-users endpoint · IQSS/dataversehttps://github.com/IQSS/dataverse/commit/a038a5579d6d3068081f5b693258d5c558e768a1
21:44 michbarsinai
Lovely
21:55 michbarsinai
All done. I'm going to sleep. I hope I'll see that "Dataverse 4.0 released" email when I wake up :-)
21:55 michbarsinai
bye!
21:57 axfelix joined #dataverse
