Project

General

Profile

Actions

Feature #1377

closed

API: IP restrictions

Added by Alexander Watzinger about 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Category:
API
Target version:
Start date:
2020-10-03
Estimated time:

Description

Although it doesn't solve the issue for JavaScript frontends (#1233) it could be useful for other scenarios e.g. for THANADOS which doesn't want all data public but uses a Flask frontend.

Implementation details
  • Overrides the public (off) option
  • localhost should always be accepted (for use in the backend)
  • Multiple IPs are possible
  • Can be configured in instance/production.py

Related issues 1 (1 open0 closed)

Related to OpenAtlas - Feature #1233: API: External Authentication Acknowledged2020-05-10Actions
Actions #1

Updated by Bernhard Koschiček-Krombholz almost 4 years ago

  • Target version changed from 208 to 6.3.0
Actions #2

Updated by Bernhard Koschiček-Krombholz almost 4 years ago

  • Status changed from Acknowledged to In Progress
  • Assignee changed from Bernhard Koschiček-Krombholz to Alexander Watzinger
  • Target version changed from 6.3.0 to 6.0.0

On develop the new feature is available. It is a decorator @check_ip, which checks the incoming IP against a list of IPs in app.config['ALLOWED_IPS']. I added it to every /api/ path.

Only logged in users can access the API or clients with the IP on the whitelist. I tested localhost locally, there it works.

I think my part is done.

Actions #3

Updated by Bernhard Koschiček-Krombholz almost 4 years ago

  • Target version changed from 6.0.0 to 6.3.0
Actions #4

Updated by Bernhard Koschiček-Krombholz almost 4 years ago

Actions #5

Updated by Alexander Watzinger almost 4 years ago

  • Description updated (diff)
  • Status changed from In Progress to Closed
  • Target version changed from 6.3.0 to 6.0.0

Thank you Berni for preparing, there were multiple issues:

Already fixed
  • IP should have overwritten the public off option but not the public on option, maybe I should have communicate that more clearly
  • Since I don't think we need two access functions I merge them. But I wasn't sure why they weren't always called together so I hope I didn't miss something
  • I noticed some inconsistency with orders of wrappers, this can matter so better watch out there
  • I changed the error msg in api_access to "'Access denied!'" but not sure if we haven't already talked about this and there was a reason for this
Not fixed
  • Configuration is still in default.py, I change that in one go if I move other stuff too
  • Code coverage is now missing for 403 because localhost is always allowed but we wanted to look at tests anyway so I left it for now

I hope I didn't missed or break something on my part. It's all pushed in develop and online at the 2 frontend. Thanks again and see you soon.

Actions #6

Updated by Alexander Watzinger almost 4 years ago

  • Target version changed from 6.0.0 to 5.6.0
Actions

Also available in: Atom PDF