datahub icon indicating copy to clipboard operation
datahub copied to clipboard
verified publisher icon devinit

The look of the API landing page and tidy up questions

Open k8hughes opened this issue 6 years ago • 8 comments

It needs to be renamed to be called "Development Data Hub API" instead of DDW.

I know API pages don't need to be super designed or pretty but should we have a logo or be using DI fonts? (not sure what is the norm for API pages?)

Have we checked the API is secure and there is no risk of comprising the DDW?

k8hughes avatar Jan 17 '19 14:01 k8hughes

@k8hughes shouldn't be looking too bad anymore :)

edwinmp avatar Jan 21 '19 12:01 edwinmp

Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities...

k8hughes avatar Jan 21 '19 14:01 k8hughes

@akmiller01

Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities...

edwinmp avatar Jan 24 '19 09:01 edwinmp

With my knowledge of SQL and how it's programmed, I've tried my best to pen-test it, and it's not vulnerable to the common attacks. But testing it myself is a little like proofreading your own writing. Would you or Naphlin be able to take a stab at it?

On Thu, Jan 24, 2019, 4:29 AM Edwin P. Magezi <[email protected] wrote:

@akmiller01 https://github.com/akmiller01

Is it secure? I know we needed to check that the API didn;t open up the DDW to any vunerabilities...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devinit/datahub/issues/489#issuecomment-457127791, or mute the thread https://github.com/notifications/unsubscribe-auth/ACtJaB8-1FsNTMS4DNKnG1wUOlw7fXB4ks5vGX0OgaJpZM4aFjZb .

akmiller01 avatar Jan 24 '19 11:01 akmiller01

Oh, but it's built on a read only user. So the worst vulnerability possible would be accessing data they're not supposed to (which should be explicitly blacklisted).

akmiller01 avatar Jan 24 '19 11:01 akmiller01

@akmiller01 one last bit on validation... it seems to allow any type of format one specifies. Of course the resulting file is broken, but still, I think it should accept only the allowed formats. http://212.111.41.68:8000/single_table?indicator=population_total&entities=KE,UG&start_year=2000&format=jpg

Since we're not using any authentication/secrets that may require encryption, I don't think the API not being deployed via HTTPS is a big issue... right?

edwinmp avatar Jan 25 '19 07:01 edwinmp

Yep, that makes sense to validate the file format and maybe make a new error code for unknown formats.

And I would agree with you on SSL. It's a "nice-to-have" for all web traffic, but really only necessary when the user is sending sensitive info. The connection between the server and PSQL should already be over SSL (I believe).

On Fri, Jan 25, 2019, 2:43 AM Edwin P. Magezi <[email protected] wrote:

@akmiller01 https://github.com/akmiller01 one last bit on validation... it seems to allow any type of format one specifies. Of course the resulting file is broken, but still, I think it should accept only the allowed formats.

Since we're not using any authentication/secrets that may require encryption, I don't think the API not being deployed via HTTPS is a big issue... right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/devinit/datahub/issues/489#issuecomment-457484255, or mute the thread https://github.com/notifications/unsubscribe-auth/ACtJaBAWzIWZf_Snqe4RP5rExyFJDl9Rks5vGrWzgaJpZM4aFjZb .

akmiller01 avatar Jan 25 '19 11:01 akmiller01

I've moved this into done, but I don't know if there is a new issue that we want to docuent to remind ourselves of the SSL issue? @edwinmp @akmiller01

k8hughes avatar Jan 29 '19 15:01 k8hughes