Bug 196461 - [ews-app] Use API_KEY to accept results data
Summary: [ews-app] Use API_KEY to accept results data
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tools / Tests (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Aakash Jain
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-01 13:43 PDT by Aakash Jain
Modified: 2019-04-01 15:16 PDT (History)
9 users (show)

See Also:


Attachments
Patch (2.33 KB, patch)
2019-04-01 13:46 PDT, Aakash Jain
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aakash Jain 2019-04-01 13:43:44 PDT
ews-app should use an API_KEY to accept results data. This is to prevent unauthorized machines sending data to ews-app.
Comment 1 Aakash Jain 2019-04-01 13:46:51 PDT
Created attachment 366419 [details]
Patch
Comment 2 dewei_zhu 2019-04-01 13:59:09 PDT
Comment on attachment 366419 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366419&action=review

> Tools/BuildSlaveSupport/ews-app/ews/views/results.py:46
> +        if data.get('EWS_API_KEY') != os.getenv('EWS_API_KEY', None):

Is both bot and server without 'EWS_API_KEY' set still working expected?
Comment 3 Aakash Jain 2019-04-01 14:10:47 PDT
> Is both bot and server without 'EWS_API_KEY' set still working expected?
Yes, I tested that scenario, works fine.
Comment 4 dewei_zhu 2019-04-01 14:11:32 PDT
Comment on attachment 366419 [details]
Patch

r=me
Comment 5 WebKit Commit Bot 2019-04-01 14:57:19 PDT
Comment on attachment 366419 [details]
Patch

Clearing flags on attachment: 366419

Committed r243716: <https://trac.webkit.org/changeset/243716>
Comment 6 WebKit Commit Bot 2019-04-01 14:57:20 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2019-04-01 14:58:23 PDT
<rdar://problem/49496381>
Comment 8 Kocsen Chung 2019-04-01 15:16:41 PDT
This is probably _fine_, but traditionally API keys are vended by the application (and then safely kept somewhere) and verified against that. The proposed approach makes this app kind of like a "master password" approach which I think has limitations for the application. 

Here's a very simple example on what I would expect the functionality of this app to be like: https://django-simple-api-key.readthedocs.io/en/latest/usage.html