Bug 196461

Summary: [ews-app] Use API_KEY to accept results data
Product: WebKit Reporter: Aakash Jain <aakash_jain>
Component: Tools / TestsAssignee: Aakash Jain <aakash_jain>
Status: RESOLVED FIXED    
Severity: Normal CC: aakash_jain, ap, commit-queue, dean_johnson, dewei_zhu, jbedard, kocsen_chung, lforschler, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Aakash Jain
Reported 2019-04-01 13:43:44 PDT
ews-app should use an API_KEY to accept results data. This is to prevent unauthorized machines sending data to ews-app.
Attachments
Patch (2.33 KB, patch)
2019-04-01 13:46 PDT, Aakash Jain 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Aakash Jain
Comment 1 2019-04-01 13:46:51 PDT
Created attachment 366419 [details] Patch
dewei_zhu
Comment 2 2019-04-01 13:59:09 PDT
Comment on attachment 366419 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366419&action=review > Tools/BuildSlaveSupport/ews-app/ews/views/results.py:46 > + if data.get('EWS_API_KEY') != os.getenv('EWS_API_KEY', None): Is both bot and server without 'EWS_API_KEY' set still working expected?
Aakash Jain
Comment 3 2019-04-01 14:10:47 PDT
> Is both bot and server without 'EWS_API_KEY' set still working expected? Yes, I tested that scenario, works fine.
dewei_zhu
Comment 4 2019-04-01 14:11:32 PDT
Comment on attachment 366419 [details] Patch r=me
WebKit Commit Bot
Comment 5 2019-04-01 14:57:19 PDT
Comment on attachment 366419 [details] Patch Clearing flags on attachment: 366419 Committed r243716: <https://trac.webkit.org/changeset/243716>
WebKit Commit Bot
Comment 6 2019-04-01 14:57:20 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7 2019-04-01 14:58:23 PDT
<rdar://problem/49496381>
Kocsen Chung
Comment 8 2019-04-01 15:16:41 PDT
This is probably _fine_, but traditionally API keys are vended by the application (and then safely kept somewhere) and verified against that. The proposed approach makes this app kind of like a "master password" approach which I think has limitations for the application. Here's a very simple example on what I would expect the functionality of this app to be like: https://django-simple-api-key.readthedocs.io/en/latest/usage.html
Note You need to log in before you can comment on or make changes to this bug.