Archivematica callback URIs embed AM API credentials

wellcomecollection / platform

Wellcome Collection Digital Platform

https://developers.wellcomecollection.org/

MIT License

48 stars 10 forks source link

Archivematica callback URIs embed AM API credentials #3534

Open alexwlchan opened 5 years ago

alexwlchan commented 5 years ago

Witnes ingest d5ff7a8a-4d8b-48cd-80c5-d05ae1d2f8e5:

https://archivematica-storage-service.wellcomecollection.org/api/v2/file/9ef61ada-3f0c-4e5c-82f0-79ff4a1bf55f/wellcome_callback/?username=test&api_key=[api_key]

This is fragile and a bit dangerous.

helenst commented 5 years ago

Archivematica Storage Service API: https://wiki.archivematica.org/Storage_Service_API - supports Authorization header. Could we support this in the code that invokes the callback?

i.e. AM storage service still stores this as part of the Wellcome storage plugin setup and would still need to make the credentials part of the ingest API call, but they wouldn't be included int he callback URL any more.

alexwlchan commented 5 years ago

I’d be happier with that. Notifier could easily send an auth header.

So when you make the ingest request, you’d send something like:

  "callback": {
    "auth": "test:1234567890",
    "type": "Callback",
    "url": "https://workflow.wellcomecollection.org/callback?id={id}"
  }

We wouldn't present that auth header again if you queried the state of the ingest, just hold it internally. And then maybe clean it up when we've made the callback?

Let's talk to Jonathan and Robert, because it adds a bit of messiness to the internal code.

helenst commented 5 years ago

That sounds sensible to me.

jtweed commented 5 years ago

Alternative is to use a hash of some kind here, which I think is what Goobi does?