qqmyers
commented
5 years ago It's almost that simple :-) - a couple things to be aware of/manage though.
What you copy and paste (the key:apiToken part) tells Dataverse to send the user's API Key - the one they can create in their Dataverse profile - to the previewer so it can request the restricted file on their behalf. There's nothing more an admin has to do to make this work. Since the api key only has the user's permissions, the previewers won't let you see a file you can't download directly. Thus, the previewers maintain the access controls that are configured in Dataverse.
You can drop the key:apiToken part of the configuration you copy/paste to be more secure but this would stop the previewers from working on draft/restricted files. Conversely, admins should be aware of the risk involved in Dataverse's existing external tools interface in sending a apiKey (which could be visible in the browser and allows the tool (previewer) to access the Dataverse api as the user). Whether that's acceptable and/or what type of user guidance for protecting an API key (such as not using public computers, using an 'in cognito' session, updating the api key in Dataverse periodically, etc.) should be given are up to you.
Also - note that if a user has not created an api key, or if that key has expired, the current Dataverse code won't send a valid key and the preview will fail. FWIW: There's a pull request (https://github.com/IQSS/dataverse/pull/5881) that adds code to Dataverse to automatically create/update an api key if needed (and to only send the key if a draft/restricted file is being previewed) that's currently under discussion. This avoids users having failures, but, by automating api key creation, takes away a chance to inform users about how to manage them, unless we also add some user messaging/emails (see the pull and associated issue). We've also discussed some ideas for further dev work that could enhance security of api keys and using external tools going forward (happy to talk about any of this directly).
shlake
I read the Readme file and it said "tokens" are only needed for restricted files. But can you elaborate on what this command parameter {\"key\":\"{apiToken}\"} does?
I do not have to replace the variables in the command at all? The previewer will pick up the variables from the user who is "previewing"?
I haven't tried, but the directions say all I do is copy/paste the curl command from the readme file. Is it really that simple?
Thanks for developing this - can't wait to see what I can do with it.