Pass api key in more secure manner in EWS django app. Instead of appending the api key in the url, it should be passed as a requests.get parameter. One benefit of that is, if the url is logged, api key wouldn't appear in the logs. Similar to https://trac.webkit.org/changeset/258008/webkit
Created attachment 404925 [details] Patch
Comment on attachment 404925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404925&action=review > Tools/BuildSlaveSupport/ews-app/ews/common/bugzilla.py:98 > + # Catching all exceptions here to safeguard api key. You say you're catching all exceptions to safeguard the API key, but then you log the exception anyways? Is that deliberate? I suppose you're guaranteeing that the exception won't end up in the response, but the API could still end up in the log, no?
Comment on attachment 404925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404925&action=review >> Tools/BuildSlaveSupport/ews-app/ews/common/bugzilla.py:98 >> + # Catching all exceptions here to safeguard api key. > > You say you're catching all exceptions to safeguard the API key, but then you log the exception anyways? Is that deliberate? I suppose you're guaranteeing that the exception won't end up in the response, but the API could still end up in the log, no? Oops, I printed the exception here for debugging. Thanks for catching that.
Created attachment 404935 [details] Patch
Committed r264711: <https://trac.webkit.org/changeset/264711> All reviewed patches have been landed. Closing bug and clearing flags on attachment 404935 [details].
<rdar://problem/65945882>
Deployed the change on the server.