exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

Proposal: Discontinue the exozyme API #162

New issue
Closed
opened 2022-06-25 23:21:21 +00:00 by a · 3 comments
a commented 2022-06-25 23:21:21 +00:00
Owner
Copy link

I don't know how many of you were aware that we even had a REST API for exozyme, but we do! It's also full of security holes #147. The main use currently of the API is for registering new users, but I think it's equally fine to do this by email like we used to do.

Basically, the new registration flow would look like this:

  1. Someone emails us to register an account.
  2. We ask for what username they want and other follow-up questions.
  3. That person replies.
  4. We register the account manually with a temporary password.
  5. The person logs in with their temporary password and changes it using passwd.

The advantage of this process is that we don't need to maintain a lot of API code like we currently do.

I don't know how many of you were aware that we even had a REST API for exozyme, but we do! It's also full of security holes #147. The main use currently of the API is for registering new users, but I think it's equally fine to do this by email like we used to do. Basically, the new registration flow would look like this: 1. Someone emails us to register an account. 2. We ask for what username they want and other follow-up questions. 3. That person replies. 4. We register the account manually with a temporary password. 5. The person logs in with their temporary password and changes it using `passwd`. The advantage of this process is that we don't need to maintain a lot of API code like we currently do.
a added this to the v9.0 milestone 2022-06-25 23:21:21 +00:00
a added the
enhancement
question
security
 labels 2022-06-25 23:21:21 +00:00
a added this to the (deleted) project 2022-06-25 23:21:21 +00:00
a commented 2022-06-25 23:33:54 +00:00
Author
Owner
Copy link

Here are the main advantages of discontinuing the API:

  • Less code and one less service to maintain. Maintaining the API is especially tricky since it's entirely written by us. Also, the API requires code from the website, nginx, and scripts repositories so it's a bit complex. To properly fix the security issues, we probably have to actually package the API instead of running it as root in tmux, which would also require maintaining an AUR or Nix package.
  • Fewer security issues. We currently run the API as root which is not great. #147

Here are some disadvantages:

  • We lose all the awesome API functionality! For instance, I wrote a cool endpoint a while back that runs neofetch and returns the result.
  • Registering a new account is more complicated and manual.
Here are the main advantages of discontinuing the API: - Less code and one less service to maintain. Maintaining the API is especially tricky since it's entirely written by us. Also, the API requires code from the website, nginx, and scripts repositories so it's a bit complex. To properly fix the security issues, we probably have to actually package the API instead of running it as root in tmux, which would also require maintaining an AUR or Nix package. - Fewer security issues. We currently run the API as root which is not great. #147 Here are some disadvantages: - We lose all the awesome API functionality! For instance, I wrote a [cool endpoint](https://git.exozy.me/exozyme/scripts/src/commit/33647c34a052e09ceb232f9650dfdf936b4c9d85/api#L38) a while back that runs neofetch and returns the result. - Registering a new account is more complicated and manual.
a commented 2022-06-25 23:34:21 +00:00
Author
Owner
Copy link

I think we'll just go with discontinuing the API for now. If you would like to maintain it in the future, please reopen this issue!

I think we'll just go with discontinuing the API for now. If you would like to maintain it in the future, please reopen this issue!
a closed this issue 2022-06-25 23:34:21 +00:00
a commented 2022-06-25 23:37:10 +00:00
Author
Owner
Copy link

This is done in scripts 1eadc49cf0, nginx bdd9c3f916, and website 91a8e164af.

This is done in scripts [1eadc49cf0](https://git.exozy.me/exozyme/scripts/commit/1eadc49cf09de184490e17a52be2cfd879b22927), nginx [bdd9c3f916](https://git.exozy.me/exozyme/nginx/commit/bdd9c3f916d175f0762504b4d2c2a08e6b59892d), and website [91a8e164af](https://git.exozy.me/exozyme/website/commit/91a8e164afa41c93682c5a37a03e29fb5e403ae7).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
v9.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#162
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?