Launchpad itself

anonymous readonly api requests should not require an OAuth key

Bug #605866 reported by Martin Pool
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Leonard Richardson
Launchpad itself 10.08

Bug Description

It's now possible for an api client to "log in anonymously" to get at public readonly objects, which is great. It would be nice if we took the next step and just let API GET methods be sent without requiring an OAuth token at all.

To reproduce:
GET https://api.launchpad.net/bzr/+bug/98836/

What does happen:
> Request is missing an OAuth consumer key.

What should happen:
I get a json representation of that bug.

Why:
- This would make it a bit easier for people to write non-launchpadlib-based api clients, and to experiment with new approaches to client access.
- It would help with interactive examination of the API (by posting things into a browser)
- It would cut a few roundtrips off startup time
- It might make it easier to pull json into other apps or mashups
- It may reduce pressure to do screenscraping
- The restriction seems pointless

We may want to encourage clients to send a meaningful User-Agent header, and to make it easier for launchpadlib users to specify a string to add to that (if they don't already.) Then we can track or throttle usage.

Arguably clients should check robots.txt before reading many files.

I'm told there's a workaround of adding '/api/beta' to the user-oriented url but I can't get that to work.

Related branches

lp:~leonardr/launchpad/true-anonymous-access
Guilherme Salgado (community): Approve
Gary Poster (community): Approve
Martin Pool (community): Approve
Diff: 141 lines (+88/-9)
2 files modified
lib/canonical/launchpad/pagetests/webservice/xx-service.txt (+70/-2)
lib/canonical/launchpad/webapp/servers.py (+18/-7)
Revision history for this message
James Westby (james-w) wrote :

https://api.launchpad.net/api/beta/bzr/+bug/98836/

Revision history for this message
Martin Pool (mbp) wrote :

Leonard started on this (yay!) https://code.edge.launchpad.net/~leonardr/launchpad/true-anonymous-access/+merge/30088

Changed in launchpad-foundations:
assignee: nobody → Leonard Richardson (leonardr)
status: New → In Progress
Gary Poster (gary)
Changed in launchpad-foundations:
importance: Undecided → Low
Revision history for this message
Launchpad QA Bot (lpqabot) wrote : Bug fixed by a commit

Fixed in stable r11153 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/11153>.

Changed in launchpad-foundations:
milestone: none → 10.08
tags: added: qa-needstesting
Changed in launchpad-foundations:
status: In Progress → Fix Committed
Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 605866] Re: anonymous readonly api requests should not require an OAuth key

On 20 July 2010 09:33, Launchpad QA Bot <email address hidden> wrote:
> Fixed in stable r11153 <http://bazaar.launchpad.net/~launchpad-
> pqm/launchpad/stable/revision/11153>.
>
> ** Changed in: launchpad-foundations
>    Milestone: None => 10.08
>
> ** Tags added: qa-needstesting

This doesn't work on https://api.staging.launchpad.net/bzr/+bug/98836/
 yet, but staging's footer says it's still on r9549.

--
Martin

Revision history for this message
Leonard Richardson (leonardr) wrote :

Verified on edge, still not present on staging.

Revision history for this message
Martin Pool (mbp) wrote :

On 20 July 2010 14:27, Leonard Richardson
<email address hidden> wrote:
> Verified on edge, still not present on staging.

<https://api.edge.launchpad.net/bzr/+bug/98836/> is a bit strange
because it displays what looks like a Python object repr:

  Object: <canonical.launchpad.webapp.servers.WebServiceClientRequest
instance URL=https://api.edge.launchpad.net>, name: ''

I guess this should be a 404 or some other error? Probably this was
latent all the time?

<https://api.edge.launchpad.net/1.0/bugs/98836/> works well though
when you ask for json. Thanks.

I guess this needs as a followon some way to tell launchpadlib to
start working with no oauth?

--
Martin

Revision history for this message
Gary Poster (gary) wrote :

On Jul 20, 2010, at 8:54 AM, Martin Pool wrote:
...
> I guess this needs as a followon some way to tell launchpadlib to
> start working with no oauth?

Why is an anonymous oauth connection (https://help.launchpad.net/API/launchpadlib#Anonymous%20access) not sufficient/effectively equivalent?

Revision history for this message
Martin Pool (mbp) wrote :

On 20 July 2010 15:23, Gary Poster <email address hidden> wrote:
> On Jul 20, 2010, at 8:54 AM, Martin Pool wrote:
> ...
>> I guess this needs as a followon some way to tell launchpadlib to
>> start working with no oauth?
>
> Why is an anonymous oauth connection
> (https://help.launchpad.net/API/launchpadlib#Anonymous%20access) not
> sufficient/effectively equivalent?

I thought that it needed to do some extra roundtrips to generate the
anonymous token, but I was wrong. It just sends oauth_version="1.0",
oauth_token="", oauth_signature="%26". So never mind.

Thanks
--
Martin

Leonard Richardson (leonardr)
tags: added: qa-ok
removed: qa-needstesting
Diogo Matsubara (matsubara)
Changed in launchpad-foundations:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.