Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not require HTACCESS login/password on API requests for .net #8582

Closed
teolemon opened this issue Jun 19, 2023 · 6 comments
Closed

Do not require HTACCESS login/password on API requests for .net #8582

teolemon opened this issue Jun 19, 2023 · 6 comments
Labels
🔐 API auth The API requires auth in order to perform editing.There is a common mechanism & a Robotoff mechanism API Issues related to the Open Food Facts API. More specific labels exist & should be used (API WRITE…) htaccess needs reprocessing Issue has been fixed but all products need to be reprocessed to remove bug from database.

Comments

@teolemon
Copy link
Member

Task

  • Do not require HTACCESS login/password on API requests for .net as it forces developers to tweak behaviors between prod and staging, bringing challenges for debugging, CI, implementation…

Part of

cc @raphael0202
@teolemon teolemon added API Issues related to the Open Food Facts API. More specific labels exist & should be used (API WRITE…) 🔐 API auth The API requires auth in order to perform editing.There is a common mechanism & a Robotoff mechanism needs reprocessing Issue has been fixed but all products need to be reprocessed to remove bug from database. htaccess labels Jun 19, 2023
@alexgarel
Copy link
Member

@teolemon can we be more precise ? It's about calls to /api/, that's it ?

@teolemon
Copy link
Member Author

yes

@hangy
Copy link
Member

hangy commented Jun 27, 2023

Some API requests also go to cgi/image_something.pl.
What's the original intention for the htaccess login @stephanegigandet? Could it also be replaced with some warning in the website, which tells users that they're working in a staging environment?
That might be easier to understand than some files being protected with basic auth, while others are accessible.

@stephanegigandet
Copy link
Contributor

@hangy the intention was to make sure it is not crawled and indexed by search engines

@stephanegigandet
Copy link
Contributor

I remove the authentication in the proxy for queries to .net that start with /api/ or /cgi/

@proxy:/etc/nginx/conf.d# git diff
diff --git a/nginx/conf.d/openfoodfacts.net.conf b/nginx/conf.d/openfoodfacts.net.conf
index 8fbe027..f722e46 100644
--- a/nginx/conf.d/openfoodfacts.net.conf
+++ b/nginx/conf.d/openfoodfacts.net.conf
@@ -5,7 +5,6 @@ server {
 
     # Require an "off" username and "off" password to make sure the site is not
     # indexed by search engines
-    auth_basic "login and password: off";
     auth_basic_user_file /etc/nginx/off.htpasswd;
 
     access_log  /var/log/nginx/openfoodfacts.net.log  main;
@@ -16,6 +15,23 @@ server {
         proxy_buffering off;
         proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
+       # require authentication so that it is not crawled by robots
+       auth_basic "login and password: off";
+    }
+
+    # Do not require authentication for the API
+    location /api/ {
+        proxy_pass http://10.1.0.200:80/api/;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header Host $host;
+    }
+
+    location /cgi/ {
+        proxy_pass http://10.1.0.200:80/;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header Host $host;
     }
 
     listen 443 ssl; # managed by Certbot
@proxy:/etc/nginx/conf.d# git commit -m "remove authentication for .net API requests" openfoodfacts.net.conf

@stephanegigandet stephanegigandet mentioned this issue Jul 10, 2023
Closed
@alexgarel
Copy link
Member

Perfect !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔐 API auth The API requires auth in order to perform editing.There is a common mechanism & a Robotoff mechanism API Issues related to the Open Food Facts API. More specific labels exist & should be used (API WRITE…) htaccess needs reprocessing Issue has been fixed but all products need to be reprocessed to remove bug from database.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hangy @alexgarel @teolemon @stephanegigandet