-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to revoke access to specific Openverse API registered client applications #4321
Comments
Hi @sarayourfriend, I'd like to take on this. |
Sure thing @madewithkode. You've seen it is high priority, so we'll be working on a quick turnaround for reviews and requested changes. You're welcome to work on it, but I'll ask you to be extra proactive in communicating any potential delays so we can hand off if needed. You've been a proactive communicator in the past, so I think it should be fine, just wanted to clarify expectations on this particular issue. For implementation, to add a new throttle scope, create a new class Here's the code of the exempt throttle class: openverse/api/api/utils/throttle.py Lines 186 to 188 in c92d484
You'll also need to add a "revoked" entry to the openverse/api/api/models/oauth.py Lines 30 to 36 in 098925a
Django admin is already configured for the rate_limit_model field to be configurable by admins, so there's no need to make changes to Django admin for this issue. Finally, in That's the implementation work, I think. Last part is to add and update openverse/api/test/integration/test_auth.py Line 135 in 575f529
This is a significant issue with a few different moving parts, and the unit tests will probably almost certainly require adjustments to existing tests (at the very least to exclude the "revoked" throttle class from tests that expect authentication to pass), as well as brand new tests. |
Problem
Our main tool to fight ToS violations at the moment is to employ Cloudflare rules targeting particular request/response headers. This works well, but isn't necessarily intuitive, and we can do more in this regard. We have no way built into Django admin to revoke access to a client application.
Description
Add a new throttle scope "revoked" that simply disallows access. Either raise a 401 in the throttle itself, or probably better, augmentconf.oauth2_extensions.OAuth2Authentication
to check the scope and raise DRF's unauthorised exception when the throttle scope is "revoked".We'll be adding a new boolean
revoked
to the throttled application instead. See context in this comment: #4334 (comment)Alternatives
A workaround is to set the throttled application back to unverified. The registrant would not receive a new email to re-verify, so this effectively revokes access, as unverified applications receive 401s as well. However, this is only a workaround, and is indirect (there's no way to make this clear in Django admin, nowhere near as clear as an explicit throttle scope). As such, it is not a satisfactory long-term solution.
The text was updated successfully, but these errors were encountered: