Is it sound to make end users handle API authentication at all

[winston-lim]

In the UG, the following statement mentioned "For continued usage of the application, do sign up for your personal API key through LTA"

In the Product Scope, it is mentioned you target "Singaporean drivers" or just "drivers"

Is the assumption that "Singaporean drivers" or "drivers" i.e. end users should have knowledge on API authentication sound? Also related is the information related to getting a personal API key necessary?

I would argue that API keys should be handled by the dev team and have all information related to API authentication hidden from end-users

[nus-se-script]

Team's Response

Hi, thank you for raising up this issue. We appreciate your feedback however we have to reject your issue due to the following reason.

Firstly, API keys (in general) are private and confidential, and no 2 or more person should be using the same api key. API key registration are mostly always exclusive to the person who signed up and it is tied to your personal email address (when you sign up using on the LTA datamall website, they will ask for an email address, and the api key will be sent to that email address). Thus, the developer team cannot provide api key to every user available. If this application were to be deployed, we can possible create a login feature, which needs to be secured and data needs to be stored with encryption and in an external database (non user accessible), which is not possible in CS2113 case. With this credential we can possibly request for the api key from our side and assign an API key to the user internally.

Moreover, we mentioned in the UG that for testing and CS2113 purposes, we are providing a default api key from the developer.

Since the user are also assumed to be savvy in tech (as they are using CLI) they should understand the concept of authentication and it is absolutely neccessary for them to be able to check whether their API key is valid or not. Thus, in this case the information related to getting a personal API key is necessary.

Items for the Tester to Verify

:question: Issue response

Team chose [response.Rejected]

• [x] I disagree

Reason for disagreement: I believe it is quite clear that if your target audience is Singaporean drivers, the assumption that they are tech savvy is wrong

Secondly, projects do not usually make end-users handle API keys for external APIs that they use(if they do, it is for their own API) as it should be hidden from end-users Examples include:

• Grab/Gojek uses a geolocation/payments/etc API from providers but they do not make end-users handle this

I argue that adding the constraint for end-users to have their own API key is actually completely unsound

---