[#31579] - [4.0][webservices] allow public GET with rate limit control
- Closed
- 26 Jun 2021
- Medium
- Build: 4.0-dev
- # 31579
- Diff
- alikon:patch-105
User tests: Successful: Unsuccessful:
Pull Request for Issue #27569 point 3).
Summary of Changes
- endpoint fine grained control
- allow public GET for an endpoint
- endpoint rate limit control
- CLI command to reset limit quota
php cli/joomla.php webservices:reset
enabled for:
plg_webservices_contentplg_webservices_contactplg_webservices_modulesplg_webservices_users
the others webservices plugin works as before (ie no public GET)
Testing Instructions
- apply PR or download the Prebuilt package
- generate a new Joomla API TOKEN
- go to plugins - Web Services - Content/Contact/Modules/Users
- check the new config parameters
Endpoint Allowed Verbs Test
- select all verbs and check that each one works as before
- check that only the allowed verbs works
-- enable POST only
-- and make a GET {{base_path}}/api/index.php/v1/content/article
-- you'll get a 404 - Resource not found
Public GET Test
-
enable Allow Public GET
-- and make a GET {{base_path}}/api/index.php/v1/content/article without the Joomla API TOKEN (noAuth)
-- you'll get a 200 response
-- check that only public content is returned -
enable Allow Public GET
-- and make a GET {{base_path}}/api/index.php/v1/content/article with the Joomla API TOKEN
-- you'll get a 200 response
-- check that all content is returned (punblishe/unpublished) -
disable Allow Public GET
-- and make a GET {{base_path}}/api/index.php/v1/content/article without the Joomla API TOKEN (noAuth)
-- you'll get a 401 response -
disable Allow Public GET
-- and make a GET {{base_path}}/api/index.php/v1/content/article with the Joomla API TOKEN
-- you'll get a 200 response
Rate Limit Test
- enable Allow Public GET
- set Rate limit to 5
-- and make 6 GET {{base_path}}/api/index.php/v1/content/article without the Joomla API TOKEN (noAuth)
-- you'll get a 429 response - click on Reset Limit
-- and make a GET {{base_path}}/api/index.php/v1/content/article without the Joomla API TOKEN (noAuth)
-- you'll get a 200 response
Actual result BEFORE applying this Pull Request
n/a
Expected result AFTER applying this Pull Request
you can allow public GET
you can choose what verbs can be requested for each plugin
Documentation Changes Required
yes
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration Language & Strings Libraries Front End Plugins |
| Labels |
Added:
?
?
?
|
||
To me it looks good, and I like the approach. I'm not deep enough into API and security stuff to say if it's safe enough or not, but I can't see any issue with it right now.
API tests are failing https://ci.joomla.org/joomla/joomla-cms/38077/1/25 ... I guess this is expected due to tests having to be adjusted to the changes in this PR?
Sorry I've made my point badly there. If you set the public param (at least back then) the endpoint couldn't be accessed. I don't think this should be enabled for any core endpoints. For example with this change you'd allow public get's of unpublished articles (I assume - haven't tested)
not sure i fully get you
with the public GET allowed you can simply use {{base_path}}/api/index.php/v1/content/article?filter[state]=1
I have tested this item
Working correctly. But not sure about security.
Thank you for the implementation
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31579.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31579.
not sure i fully get you
with the public GET allowed you can simply use
{{base_path}}/api/index.php/v1/content/article?filter[state]=1
@alikon I think the question George had was if unpublished articles will be shown to public if not using such a filter. This should not be the case, i.e. public never should see unpublished stuff.
ok unpublished content are not shown when public GET
| Title |
|
||||||
| Category | Administration Language & Strings Libraries Front End Plugins | ⇒ | Administration com_plugins Language & Strings Libraries Front End Plugins |
| Category | Administration Language & Strings Libraries Front End Plugins com_plugins | ⇒ | Administration com_modules com_plugins Language & Strings Libraries Front End Plugins |
| Title |
|
||||||
| Labels |
Removed:
?
|
||
What does the rate limit mean - 60000 what. Is big good or bad? Does 0 mean no limit?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31579.
Does 0 mean no limit?
yes
What does the rate limit mean - 60000 what. Is big good or bad?
just a big number for testing
OK I think rate limiting in core is excessive. This thing needs to be a plugin in itself and probably not part of core by default. We're supposed to provide a minimal implementation that can be extended I think.
The main thing I was looking for in the release blocker was the change to the ApiApplication (assuming that works on it's own)
These are an optional feature that is disabled by default.
allowing public GET require a bare minimum rate control imho
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-06-26 08:08:31 |
| Closed_By | ⇒ | alikon | |
| Labels |
Added:
?
|
||
@alikon PHPCS https://ci.joomla.org/joomla/joomla-cms/38066/1/6