Open luddaniel opened 1 year ago
luddaniel
commented
1 year ago To generate a Request Signed URL we need a superUser Api Key, so it seems not possible from DvWebLoader Javascript side.
An idea is to pre-generate the required Signed URLs from Dataverse UI > Dataset upload file tab and send it to DvWebLoader.
qqmyers
commented
1 year ago Yes, this would require changes to both Dataverse and the dvwebloader. The dvwebloader is essentially an external tool, but, because it is now hardwired into the download pane, it is not registered like an external tool and thus there's no place to configure which signedUrls the tool should get. That said, this would be relatively straight-forward to do when someone has the time/interest. (It would also be great to have all the previewers using signedUrls.)
FWIW: The examples for the DirectUpload API show use of an APIKey, but those calls, like the rest of the API, can be used with signedUrls as well.
Hello @qqmyers and everybody, I was wondering about the security regarding the use of Api Key
&key=xxxas query string of the url. Understand that I just want to open the dialogue on this topic.Api Key is required to use Direct DataFile Upload/Replace APIs but the security risk seems important to me; Non IT user may share this url or may keep browser history on a shared computer and give their level of access on Dataverse.
Security is important and this issue has been addressed for Dataverse External Tools with the option Signed URLs. I don't know if it's possible to use it right now but it might be an idea to work on this (maybe extend Dataverse Signed Url scope to more than only External Tools if it's not).
Here is a non-exhaustive list of benefits to consider :
What do you think ? Best regards