Add simple Application/API Key management

6aika / issue-reporting

Reference Open311 API server implementation

MIT License

7 stars 4 forks source link

Add simple Application/API Key management #51

Closed aapris closed 8 years ago

aapris commented 8 years ago

POST Service Request should require API Key, as GeoReport v2 specification says. Simple API Key management could be in Django admin.

http://wiki.open311.org/GeoReport_v2/#post-service-request

akx commented 8 years ago

This is problematic with the simple UI though -- it will have to have the API key it uses embedded somewhere in the source, as the client does the POSTing.

This in turn means anyone can just snarf the API key from the simple UI's source and use it for their nefarious posting needs.

akx commented 8 years ago

Reassigned @aapris to figure out a resolution for the above. ☝️

akx commented 8 years ago

Let's add a simple Application model with similar semantics as Jurisdictions:

if no applications exist, one is implicitly created without api key requirement
if exactly one application exists and it has no api key, allow POSTing without an api_key
if more than one application exists, api_key is required

The simple issue UI will have to check whether the system is in a mode that requires API keys, and if it is, it must supply one to the frontend JavaScript.

akx commented 8 years ago

Fixed via #61.