search

peeringdb / peeringdb

Server code for https://www.peeringdb.com/
BSD 2-Clause "Simplified" License
354 stars 112 forks source link

API key cannot be used to retrieve IX-F import preview #1659

Open GD1200 opened 1 month ago

GD1200 commented 1 month ago

Describe the bug I noticed that it is not possible to use our read-only API key to access the IX-F import preview for our exchange objects. Instead, we have to use basic HTTP authorisation. For example:

$ curl -sH "Authorization: Api-Key ${PDB_KEY}" https://www.peeringdb.com/import/ixlan/3800/ixf/preview | jq .
{
  "non_field_errors": [
    "Permission denied"
  ]
}

I can successfully use the same key to access other endpoints:

$ curl -sH "Authorization: Api-Key ${PDB_KEY}" https://www.peeringdb.com/api/ixlan/3800 | jq .data[].ixpfx_set
[
  {
    "id": 3293,
    "protocol": "IPv4",
    "prefix": "112.137.24.0/24",
    "in_dfz": true,
    "created": "2022-04-28T13:52:31Z",
    "updated": "2022-04-28T21:08:03Z",
    "status": "ok"
  },
  {
    "id": 3295,
    "protocol": "IPv6",
    "prefix": "2a00:8422:ae5::/64",
    "in_dfz": true,
    "created": "2022-04-28T21:13:02Z",
    "updated": "2022-04-28T21:13:02Z",
    "status": "ok"
  }
]

I can also successfully access /import/ixlan/3800/ixf/preview using the basic authorisation:

$ curl -su ${PDB_USER}:${PDB_PASS} https://www.peeringdb.com/import/ixlan/3800/ixf/preview | jq .
{
  "data": [],
  "errors": []
}

I guess, it is because this endpoint is beyond the “/api/" hierarchy. Therefore, I checked if there is another suitable endpoint documented in the PeeringDB API Documentation, but I could not find anything related to IX-F preview.

To Reproduce Steps to reproduce the behavior:

Expected behavior A JSON output with the preview data should be returned.

Who is affected by the problem? Exchange operators

What is the impact?

Are there security concerns? Yes, please see the section above.

Are there privacy concerns? No

What are the proposed actions? Consider making https://www.peeringdb.com/import/ixlan/{ID}/ixf/preview part of usual set of API endpoints accessible with API keys.

What is the proposed priority? Low

Provide a rationale for any/all of the above Please see the points in the impact section.

Additional context [PEERINGDB-202408SO6OC1]

arnoldnipper commented 1 month ago

+1

Yo-Robinson commented 2 weeks ago

+1

jackcarrozzo commented 1 week ago

+1