search

peeringdb / peeringdb

Server code for https://www.peeringdb.com/
BSD 2-Clause "Simplified" License
364 stars 113 forks source link

API key cannot be used to retrieve IX-F import preview #1659

Open GD1200 opened 3 months ago

GD1200 commented 3 months ago

Describe the bug I noticed that it is not possible to use our read-only API key to access the IX-F import preview for our exchange objects. Instead, we have to use basic HTTP authorisation. For example:

$ curl -sH "Authorization: Api-Key ${PDB_KEY}" https://www.peeringdb.com/import/ixlan/3800/ixf/preview | jq .
{
  "non_field_errors": [
    "Permission denied"
  ]
}

I can successfully use the same key to access other endpoints:

$ curl -sH "Authorization: Api-Key ${PDB_KEY}" https://www.peeringdb.com/api/ixlan/3800 | jq .data[].ixpfx_set
[
  {
    "id": 3293,
    "protocol": "IPv4",
    "prefix": "112.137.24.0/24",
    "in_dfz": true,
    "created": "2022-04-28T13:52:31Z",
    "updated": "2022-04-28T21:08:03Z",
    "status": "ok"
  },
  {
    "id": 3295,
    "protocol": "IPv6",
    "prefix": "2a00:8422:ae5::/64",
    "in_dfz": true,
    "created": "2022-04-28T21:13:02Z",
    "updated": "2022-04-28T21:13:02Z",
    "status": "ok"
  }
]

I can also successfully access /import/ixlan/3800/ixf/preview using the basic authorisation:

$ curl -su ${PDB_USER}:${PDB_PASS} https://www.peeringdb.com/import/ixlan/3800/ixf/preview | jq .
{
  "data": [],
  "errors": []
}

I guess, it is because this endpoint is beyond the “/api/" hierarchy. Therefore, I checked if there is another suitable endpoint documented in the PeeringDB API Documentation, but I could not find anything related to IX-F preview.

To Reproduce Steps to reproduce the behavior:

Expected behavior A JSON output with the preview data should be returned.

Who is affected by the problem? Exchange operators

What is the impact?

Are there security concerns? Yes, please see the section above.

Are there privacy concerns? No

What are the proposed actions? Consider making https://www.peeringdb.com/import/ixlan/{ID}/ixf/preview part of usual set of API endpoints accessible with API keys.

What is the proposed priority? Low

Provide a rationale for any/all of the above Please see the points in the impact section.

Additional context [PEERINGDB-202408SO6OC1]

arnoldnipper commented 3 months ago

+1

Yo-Robinson commented 2 months ago

+1

jackcarrozzo commented 2 months ago

+1