Initial structure for APIv3

[humitos]

Structure for APIv3 (django app readthedocs.api.v3),

At the moment, nested expansions are like: /api/v3/projects/pip/?expand=users,active_versions,active_versions.last_build. Also, ?fields=slug,active_versions.slug can be added to select only some fields or ?omit=created,links to omit fields.

Missing parts:

• define proper values for throttling (DEFAULT_THROTTLE_RATES setting)
• decide if we are going to remove privacy_level and description from Project response
• move the module under readthedocs.api.v3
• make nested expansions work properly
• sanitize all fields '' to be null on the response
• return proper version.urls.vcs
• generate version.downloads as full URLs including schema
• declare version.last_build as expansible field
• create serializers for links URLs
• docstring on new methods
• implement Users endpoint (/api/v3/users/ and /api/v3/projects/pip/users/)
• implement BuildCommand endpoint (/api/v3/projects/pip/builds/1025/commands/)
• support . on URLs (the auto generated URL does not support it 'api/v3/projects/(?P<parent_lookup_project__slug>[^/.]+)/versions/(?P<version_slug>[^/.]+)/$')
• tests
• sort keys on response
• allow public detail and deny public listing requests

Example of current project details response: https://gist.github.com/humitos/4c0eab5c4afbca4fa10894c59d2cde09

[davidfischer]

This references something that doesn't exist.

[humitos]

Ups... I forget to push this file.

[stsewd]

Not sure about this, the meaning for repo_type is something different in the model

https://github.com/rtfd/readthedocs.org/blob/dfbc8142e70d2ddd893ecabba765690319b5f5aa/readthedocs/projects/constants.py#L57-L62

[humitos]

repo_type means what I expects. Here we need to know what kind of repository it is to generate a valid http linkfor the online VCS for that version.

This method should probably need to be refactored, anyway. For now, it does what I need, but it's not robust and does not work for all the cases.

[davidfischer]

I think what @stsewd is saying is that gitlab is not even one of the REPO_CHOICES.

In [2]: Project.objects.filter(repo_type='gitlab').count()
Out[2]: 0

This should probably be:

if self.project.repo_type == REPO_TYPE_GIT:

[humitos]

Oh, you both are right!

I got confused here. I want to check if github or gitlab or bitbucket is in the repository's URL since I'm trying to build the URL for the version on the external VCS service.

[stsewd]

We should accept every key from get_downloas instead of filtering them.

[humitos]

I was trying to enforce to have a consistent response on the API, but now I realized that the breaking change will be produced if the field is missing and not if there is one new. So, this check should probably be removed.

[stsewd]

I think we call these main_project and main_language internally

[humitos]

Yes. I think that subproject_of and translation_of are better names for the users of the API, though.

[stsewd]

Suggested change

	* Translations of a projects: ``/api/v3/projects/{project_slug}/translations/``
	* Translations of a project: ``/api/v3/projects/{project_slug}/translations/``

Same for the ones below

[stsewd]

I think we don't allow nested subprojects, so one project can only have one superproject

[humitos]

You are right. This endpoint could be complete removed or named in singular and return a detailed project object instead. Although, I don't think it will be useful.

Probably removing it is better for now.

[davidfischer]

I only tested the project endpoint so far. Here's my feedback:

• I am on a bit of a performance kick but I found a number of performance issues related to object relationships.

• I had to install coreapi. Otherwise I got the error:

  AssertionError: `coreapi` must be installed for schema support.
  

[davidfischer]

I think what @stsewd is saying is that gitlab is not even one of the REPO_CHOICES.

In [2]: Project.objects.filter(repo_type='gitlab').count()
Out[2]: 0

This should probably be:

if self.project.repo_type == REPO_TYPE_GIT:

[davidfischer]

bitbucket is also not a valid repo_type. Do you mean 'bitbucket' in repo?

[davidfischer]

What is this needed for?

[stsewd]

Looks like we are no't using this

[davidfischer]

This and translation_of probably need to be prefetched in the queryset. I'm seeing a lot of duplicate queries to projects_projectrelationship.

[davidfischer]

This should be prefetched in the queryset.

[davidfischer]

This field (via our resolver - see #3712) results in two extra queries per project returned.

[humitos]

The problem with this urls field is the usage of Project.get_docs_url method. I need to check how to improve this.

[ericholscher]

When running locally I get:

  File "/Users/eric/projects/readthedocs.org/readthedocs/v3/urls.py", line 66, in <module>
    public=True),
  File "/Users/eric/.virtualenvs/readthedocs3/lib/python3.6/site-packages/rest_framework/documentation.py", line 68, in include_docs_urls
    permission_classes=permission_classes,
  File "/Users/eric/.virtualenvs/readthedocs3/lib/python3.6/site-packages/rest_framework/documentation.py", line 29, in get_docs_view
    permission_classes=permission_classes,
  File "/Users/eric/.virtualenvs/readthedocs3/lib/python3.6/site-packages/rest_framework/schemas/__init__.py", line 41, in get_schema_view
    urlconf=urlconf, patterns=patterns,
  File "/Users/eric/.virtualenvs/readthedocs3/lib/python3.6/site-packages/rest_framework/schemas/generators.py", line 257, in __init__
    assert coreapi, '`coreapi` must be installed for schema support.'
AssertionError: `coreapi` must be installed for schema support.

A pip install coreapi fixed it.

This is 💯 better than our current API. Super great work!! I read through most of the code and played around with it locally across all the documented endpoints. Feel free to ignore my comments on the REST Browsable API because I think we need to turn that off in production; so we need another solution for "browsing" it for our users.

I think there's some polish we need to do around field ordering and QA, but I think I'd be 👍 to get this merged and deployed behind a feature flag for internal testing.

[ericholscher]

This will only return anything on the stable version, that seems confusing?

[humitos]

What would it return in case it's not stable?

This method return "where the current version points to" and it only makes sense for stable which will point to a specific tag/version.

[ericholscher]

I just mean we should call the function stable_ref or something -- it doesn't get the ref for any Version.

[stsewd]

Also, we could wait till having aliases, also identifier has the commit of the tag, maybe we can filter for that instead of calling determinate_stable_version

[ericholscher]

I'm surprised we don't already have this logic somewhere.

[humitos]

If we do have it, I didn't find it :/

[stsewd]

We assembled the url here https://github.com/rtfd/sphinx_rtd_theme/blob/a49a812c8821123091166fae1897d702cdc2d627/sphinx_rtd_theme/breadcrumbs.html#L45 but we get some metadata from here https://github.com/rtfd/readthedocs.org/blob/humitos/api/v3-implementation/readthedocs/doc_builder/backends/sphinx.py#L88-L104

[ericholscher]

Believe @stsewd already did this in another PR.

[humitos]

Yes. I need to rebase my branch.

[ericholscher]

Is this backwards compat? Do we care?

[humitos]

No, it's not.

I think I left this change by mistake since it's not really necessary but I was testing another thing and I wanted to keep the pattern.

Although, I think we don't care since this is not really used as far as I know.

[ericholscher]

Is there an abstraction here that will work better between the .org & .com?

[humitos]

Yes. I need to use .public/.api method form the manager here probably so the migration to .com is easier and just in one place.

[ericholscher]

Looks at this in the response was confusing:

urls: {
documentation: "http://time-test.dev.readthedocs.io:8000/en/latest/",
project: null
}

Perhaps it should be project_homepage or something? Otherwise I might confuse it with the URL of the RTD page for the project (which isn't in the response, afaict)

[humitos]

Mmm... good point. I didn't add "human" URLs for Project, Version and Build under Read the Docs. I may worth to add them all in each response.

[ericholscher]

Typo

Suggested change

	field_name='versbose_name',
	field_name='verbose_name',

[ericholscher]

This is broken in testing "invalid_name":

Suggested change

	running = filters.BooleanFilter(method='get_running')
	running = filters.BooleanFilter(method='get_running', label="Running")

[ericholscher]

When I don't have a superproject I get a 404, when I don't have a subproject I get a 200 with an empty list. Should fix one approach and stick to it.

[humitos]

The response is different because the relations are different: a project can have 0 to N subprojects (which returns a list view) but None or 1 superproject (which returns a detailed view).

[ericholscher]

This should be either a queryset method or a mixin. I think as a rule we should have no custom querysets unless we have a really good reason.

[humitos]

I refactored all the auth/permission checks into a Mixin and a Permission class. Please, let me know what you think about the new updates.

[ericholscher]

Looks great on my side. I don't fully understand it, but the approach looks good.

[ericholscher]

Suggested change

	required. In that case, an specific mixin for that case should be defined.
	required. In that case, a specific mixin for that case should be defined.

[ericholscher]

Feels weird to have this here as a special case, as noted in the comment. Don't understand the code enough to fully evaluate it tho.

[davidfischer]

I agree. This sort of a special case should be on the ProjectViewSet class.

[humitos]

I moved it the ProjectViewSet. Makes more sense there.

[ericholscher]

Is this correct? auth and permission are different to me, so we should be sure we about what it is.

[davidfischer]

As long as this class extends from IsAuthenticated calling the superclass will just check if the user is authenticated.

Looking more generally at this permission class as a whole I think it is too complicated and will yield future bugs. Instead of having a complex permission class that has some tight coupling with the classes it is used on (this class checks view.basename), I would rather see ProjectViewSet.get_queryset limit the queryset that a user can query.

I see that @ericholscher suggested previously that having a custom get_queryset is something we should avoid. I can't comment there directly since that commit was removed in a force push. I don't agree with that statement and fundamentally this looks like a case where the queryset does need to change. The queryset should return the user's projects on a listview and all projects on a details view.

[humitos]

I moved the chunk of specific code for ProjectViewSet and this class now basically does what David mentioned here:

1. returns user's projects if admin (detail_objects method)
2. returns all projects the user can see (listing_objects method)

We may want to keep talking about this in another channel. I don't want to block the PR on this piece of auth since we may need a bigger refactor for that anyways.

[ericholscher]

I just mean we should call the function stable_ref or something -- it doesn't get the ref for any Version.

[stsewd]

The common submodule shouldn't be updated here (#5517)

I have some questions:

• Privacy level, we are going to remove them, should we remove them from the api? (Update/Remove privacy level docs page #4743 )
• Project's description, is also going to be removed (Remove project description field #3689 )

json string ref: tag or branch pointed by this version (available only when version is stable or latest)

Guessing we are going to use this for version's alias

Some bugs I found

• http://localhost:8000/api/v3/projects//master/ give 500 (it returns 2 objects in a .get query) (latest and master have the same verbose_name, we should look up for slug).

• Docs should be updated with the current implementation

https://github.com/rtfd/readthedocs.org/blob/humitos/api/v3-implementation/docs/api/v3.rst#L426-L426

• Looks like builds/latest isn't implemented
• builds/id/commands isn't implemented
• users/ isn't implemented

[stsewd]

The query description needs to be updated too

[stsewd]

I think the structure of api v3 is fine, I left some questions and maybe bugs p:

[stsewd]

Is this some kind of standard way in rest framework? Feels weird having __ them in the query params (it also can be confused with _, and be ignored without any error)

[humitos]

Yes, this is the standard from django filters and it follow the idea of Django ORM.

[stsewd]

There is a bug here, slug can be ended up undefined. It's named as project_slug above

[stsewd]

The file name shouldn't be renderers? p:

[stsewd]

aren't we leaking some info with last_login?

[humitos]

Mmm... Not sure if this is really important.

In theory, you can see these info from people you share a project with. We already remove first and last name just in case, but those are bigger ones in case of leak.

[humitos]

If we care about last_login, we should remove date_joined as well.

[stsewd]

GitHub does show the date_joinded field, last login feels like a more private thing

[davidfischer]

I'm +1 on removing last login.

[stsewd]

Also, we could wait till having aliases, also identifier has the commit of the tag, maybe we can filter for that instead of calling determinate_stable_version

[stsewd]

We assembled the url here https://github.com/rtfd/sphinx_rtd_theme/blob/a49a812c8821123091166fae1897d702cdc2d627/sphinx_rtd_theme/breadcrumbs.html#L45 but we get some metadata from here https://github.com/rtfd/readthedocs.org/blob/humitos/api/v3-implementation/readthedocs/doc_builder/backends/sphinx.py#L88-L104

[stsewd]

Looks like we are no't using this

[humitos]

json string ref: tag or branch pointed by this version (available only when version is stable or latest)

Guessing we are going to use this for version's alias

My idea here is that if you get stable, you are able to know what version it is (2.0, or 1.4 for example). Otherwise, there is no way to know it.

Alias are different than this and we should add that value in the response when we implement them.

• Privacy level, we are going to remove them, should we remove them from the api? (Update/Remove privacy level docs page #4743 )

• Project's description, is also going to be removed (Remove project description field #3689 )

Hrm, good point. I think that it's better to remove them now and then add them if we need them --otherwise it will be a breaking change.

I suppose that we will need privacy_level for the corporate site, though. But we can add it when we get there.

http://localhost:8000/api/v3/projects/master/ give 500 (it returns 2 objects in a .get query) (latest and master have the same verbose_name, we should look up for slug).

I'm not sure to understand this. That URL will lookup for a project with slug master. If we want to check the version master of a project, this is the URL: /api/v3/projects/test-builds/versions/master/ and it works to me.

[davidfischer]

I'm in favor of shipping this or something close to it as a first version so we can start to actually use it internally in production and iterate on it. I do have some comments but none of them should block shipping.

I would like to better understand the thought process behind the current expandable fields. I can see a potential use case for expandable fields if the data was very verbose or expensive to calculate but in some of the cases in this PR that is not the case. Furthermore, the data seems pretty useful (the last build on a version, the active versions of a project). Is there instead a way to display say a short listing by default (eg. just the slugs of the active versions) and then optionally expand to something more verbose?

There are still some performance issues with this but I think we can track them down after the internal rollout. For example, querying http://localhost:8000/api/v3/projects/?expand=active_versions.last_build resulted in 150 DB queries.

On a side note, moving restapi -> api/v2 in this PR made it quite a bit harder to review.

[davidfischer]

I think we may need to monitor this pretty closely as I suspect we might hit this limit. For the initial rollout, this is fine (removing throttling altogether might be better though) but I think 10/m is very low for a logged in user especially if we need to use the API to do anything.

[humitos]

Yes. I just wanted to have the settings there to decide the best values all together.

I'm going to use the ones listed in the DRF docs as example which seems reasonable: 60/minute for now. We can tune them later if we want to be less permissive.

[davidfischer]

Suggested change

	Full documentation at [https://docs.readthedocs.io/en/latest/api/v3.html](https://docs.readthedocs.io/en/latest/api/v3.html).
	Full documentation at [https://docs.readthedocs.io/page/api/v3.html](https://docs.readthedocs.io/page/api/v3.html).

[davidfischer]

As long as this class extends from IsAuthenticated calling the superclass will just check if the user is authenticated.

Looking more generally at this permission class as a whole I think it is too complicated and will yield future bugs. Instead of having a complex permission class that has some tight coupling with the classes it is used on (this class checks view.basename), I would rather see ProjectViewSet.get_queryset limit the queryset that a user can query.

I see that @ericholscher suggested previously that having a custom get_queryset is something we should avoid. I can't comment there directly since that commit was removed in a force push. I don't agree with that statement and fundamentally this looks like a case where the queryset does need to change. The queryset should return the user's projects on a listview and all projects on a details view.

[davidfischer]

Perhaps I'm the only one but I think that the magic .api() method on our managers is a bit of an anti-pattern. It isn't entirely clear to me what those methods do and I feel a number of bugs have been introduced due to confusion in what those methods do (in addition to .public() and .private()). Perhaps this is unavoidable for now until the codebases for .org and .com are merged.

[humitos]

We talked a little about this at the offsite. All of our code is using this and changing/removing it will require a bigger refactor.

I wrote a document explaining a little what each of these method do when I started touching auth in this API branch to match what we discussed: #5624

Although, I think this is outside the scope of this PR. We will need to talk more and agree on a pattern to follow, though.

[davidfischer]

Depending on the queryset, contains on versions may not have great performance. This shouldn't stop the rollout but it will be something to look at in prod.

[davidfischer]

This permission class is too specific to projects to be in this generic mixin which is for all viewsets. I think we should have something more generic like IsAuthenticated.

[humitos]

Currently, all of our endpoints are registered under /projects so we can keep it like this for now and extend/move when need it.

[davidfischer]

I am not sure of the use case behind adding so many different filterable elements. I'm also not sure what the use case is behind the contains filters. These are a lot of filters on fields that are not indexed in the DB. We had to remove a number of filters in API v2 due to performance issues. This may not be a problem in v3 because they will only filter a single user's much smaller set of projects but at that point these filters aren't very useful.

[davidfischer]

The maintainers of a project seems like pretty core information about the project. I'm not sure it should be an expandable field. I think it should always be expanded.

• All the users for all projects can be prefetched in one additional query. It won't be a performance issue.
• The project/<slug>/users endpoint is then pretty useless. The user serializer doesn't really have any useful info except the username. I say we get rid of the serializer and the endpoint.
• We may in the future have a user endpoint (not under the project) and if we need to share additional details about a user (eg. all the projects they are a maintainer of) we can do that there and the user can query about a user given just the username.

[davidfischer]

Rather than mixing in ListModelMixin, RetrieveModelMixin and GenericViewSet couldn't we instead mixin ReadOnlyModelViewSet?

[humitos]

Good point.

The only reason is that I didn't know that it existed 😉 . Upgrading...

[davidfischer]

I think this class could use a better name. It isn't authentication per se, it is a class for getting the correct project queryset given a user and a request. How about ProjectQuerysetMixin?

[stsewd]

We are leaking builder and cold_storage to common users, we only show this to admin users in v2

[humitos]

I agree that cold_storage could be removed from here, considering that we are going to have everything in cold storage in the near future. So, this won't be useful anymore.

builder is not a problem, but you are right that this should probably be only for admins. I will remove it for now, and we can consider re-add it later if we want to expose different things to different users. Also, if we are going to use lambda functions or similar, the builder won't make sense anymore.

[stsewd]

Probably we don't want show this, we don't use that feature anymore

[stsewd]

I don't remember if we wanted to remove this from versions and projects or only versions. I think tags aren't used anyway.

[humitos]

I think we want to remove them from versions only, as far as I remember.

[stsewd]

Also, I feel like links should be private (_links). It could be misinterpreted or collide with another field. For example in versions, downloads vs links. Or in projects urls vs links

[humitos]

OK! I think that I took a look at all the comments/suggestions and fix them all or replied. I think we can merge it once the tests pass.

Then, we can keep talking about more specific details and make the adjustments we need. We are not going live immediately for the users, so we have some time to do "breaking changes" before making it public.

[stsewd]

This test is still not passing

    def test_detail_unique_version(self):
        second_project = fixture.get(
            Project,
            users=[self.me]
        )
        second_version = fixture.get(
            Version,
            slug=self.version.slug,
            verbose_name=self.version.verbose_name,
            identifier='a1b2c3',
            project=second_project,
            active=True,
            built=True,
            type='tag',
        )
        self.client.credentials(HTTP_AUTHORIZATION=f'Token {self.token.key}')
        response = self.client.get(
            reverse(
                'projects-versions-detail',
                kwargs={
                    'parent_lookup_project__slug': self.project.slug,
                    'version_slug': self. version.slug,
                }),

        )
        self.assertEqual(response.status_code, 200)
        self.assertDictEqual(
            response.json(),
            self._get_response_dict('projects-versions-detail'),
        )

When there are two projects or more with the same slug for its versions

[humitos]

When there are two projects or more with the same slug for its versions

Thanks @stsewd for mentioning this. I added your test to the suite and I think we are ready to merge this now if you agree.