openfoodfacts / openfoodfacts-events

Events repository and API for product scans, photo uploads, robotoff annotations etc.
GNU Affero General Public License v3.0
7 stars 3 forks source link

Add authentication of applications #48

Open alexgarel opened 2 years ago

alexgarel commented 2 years ago

Is your feature request related to a problem? Please describe.

Everyone can now do a post against the API and thus register events. Registering events should only be possible for a set of known applications.

Describe the solution you'd like

I imagine:

Also, in events I would add a column with a link to the app which added the event (it's kind of the author).

We could add a CLI to add applications and get a token (or regenerate it).

Describe alternatives you've considered

The limit of a fixed auth token is that it has to be embedded in mobile / desktop app. It only really works for server side applications. As mobile app will pass through API, it's ok maybe to start with.

We could use JWT and such things but it seems overkill as a first approach and does not bring much.

Additional context

In the first round, only robotoff and openfoodfacts would need to have a token.

Also we should consider the case of third party app using the API. Would we account for them ? (but it can introduce a way of cheating).

shlokster commented 2 years ago

Hi Alex, I have a doubt here. What do you mean by applications in this context. Correct me if I'm wrong, from what i have understood so far a user registers an event using the API in Open-food-facts-events. This adds the event to the main app. In your solution you mentioned displaying a table listing all the allowed applications. What exactly are these applications you are talking about.