Dashboard RSS feed is accidentally password protected now

rubygems / rubygems.org

The Ruby community's gem hosting service.

https://rubygems.org

MIT License

2.32k stars 916 forks source link

Dashboard RSS feed is accidentally password protected now #3816

Open svoop opened 1 year ago

svoop commented 1 year ago

After logging on to rubygems.org, you land on the Dashboard where a very handy RSS icon leads to the personal RSS feed to be updated whenever a susbscribed gem is updated. The RSS feed URL contains a UUID and therefore is safe as is.

Recently, however, the RSS feed URL slipped behind the password protection which doesn't play nice with feed readers. Could you please lift this most likely accidental restriction?

Thanks a bunch!

svoop commented 1 year ago

On second look: The feed is in the protected part of rubygems.org because it needs access to the subscriptions. However, the RSS link on the dashboard contains an aip_key and which apparently is not accepted anymore. It has a different format (shorter, no prefix) than the regular API keys.

svoop commented 1 year ago

Figured out how to get the feed URL working:

Create a new API key and give it "show dashboard" scope
Append the new API key to this URL: https://rubygems.org/dashboard.atom?api_key=

It's a workaround, the RSS link when you click ...

... on your dashboard (or at least on my dashboard) contains a differently formatted and invalid API key. No idea where it comes from.

simi commented 1 year ago

Hello @svoop and thanks for the info. You're right, the api_key appended to the dashboard is something called "legacy key" and doesn't work everytime for all users. The recommended way is exactly as you found out, create new api key with "show dashboard" scope and use it in URL.

Any suggestion UI wise to make user aware of this? We should make it clear you need to create API key with "show dashboard". Maybe some kind of modal with selector of which api key to use or warning message URL can't be generated with no API key with given scope present?

@jenshenny any idea,

jenshenny commented 5 months ago

Maybe some kind of modal with selector of which api key to use

I don't think we can retrieve the original api key value after its been generated.

or warning message URL can't be generated with no API key with given scope present?

that can be a good solution

Perhaps we can have the button create an API key with just the show_dashboard scope and generate a link with the new key.