Anthias
Anthias copied to clipboard
Screenly
Overhaul the REST API and its documentation.
Overview
- Anthias currently uses Flask for the REST API endpoints.
- Since we will be migrating the codebase to Django, we could make use of the Django REST Framework (which is a library separate from Django itself), or other related alternatives.
- This means that we must update on how the API doc is generated. We could make use of libraries like
drf-spectacular.
Relevant issues
- Screenly/Anthias#1810 — The discussions here is one of the reasons this issue was created.
Depends on
- Screenly/Anthias#558
Hi!
During the migration, could you please secure with basic auth the /api/docs/ Swagger endpoint and probably the /api/swagger.json as well?
Currently you can set up a basic auth for the dashboard, but the $hostname/api/docs/ path is not secured. Therefore anybody can simply make changes in the assets or even shutdown the system by calling the endpoint /api/v1/shutdown_screenly.
As a workaround I navigated into the anthias-nginx docker container with docker exec -it {ID} bash
Then edited this config:
/etc/nginx/sites-enabled/anthias.conf
And added these two blocks right after the root / location.
location ~* ^\/api\/docs.*$ {
proxy_pass http://anthias;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
proxy_read_timeout 1800;
send_timeout 1800;
auth_basic "Administrator’s Area";
auth_basic_user_file /etc/apache2/.htpasswd;
}
location ~* ^\/api\/swagger\.json.*$ {
proxy_pass http://anthias;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
proxy_read_timeout 1800;
send_timeout 1800;
auth_basic "Administrator’s Area";
auth_basic_user_file /etc/apache2/.htpasswd;
}
These two blocks could be merged with proper regex, but I didn't want to play with them...
After this, executed the command sudo service nginx reload, then left the docker container by typing exit.