CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • rest.php interface: a few questions/rant
Pages: 1 [2] 3

Author Topic: rest.php interface: a few questions/rant  (Read 19003 times)

acrosman

  • Guest
Re: Should be easy to patch
November 11, 2008, 12:45:58 pm
Quote from: xavier on November 11, 2008, 08:38:48 am
Do you think you'll be able to share the new api you created before the code freeze end of the month ?

I hope so.  I'm trying to push the team along to get at least the library completed, even if the other aspects of that project need more time.  I caused a significant delay in the process, so I don't want to appear to be too demanding, but at the same time I understand that others are going eager to get this moving.

Aaron

acrosman

  • Guest
Re: rest.php interface: a few questions/rant
November 11, 2008, 01:03:05 pm
Quote from: xavier on November 11, 2008, 11:50:48 am
Just to be sure we understand each other: with my patches, you replace &key=<bla> by &PHPSESSID=<bla> and it works in a machine to machine, no need to bother about session.

The ultimate goal is to be able to have a permanent key, that you can put on any query and it just works.

Ahh, that makes sense.  It should be easy enough to design the library to handle both types of responses.  We will need to start making sure we keep track of changes that impact existing code so that we don't cause undue problems for developers.

Aaron

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: rest.php interface: a few questions/rant
November 11, 2008, 02:27:23 pm
Hi,

Of course I try not to break it. You can still use the key and handle the session via the cookie as you do now. The only difference is that the key returned by the login doesn't matter anymore, but it's still there for compatibility reason.

We might as well put a "OBSOLETED, use PHPSESSID" as a default key ?

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: rest.php interface: a few questions/rant
November 11, 2008, 02:31:47 pm
Quote from: Donald Lobo on November 11, 2008, 12:33:50 pm

You will need to write another authenticate function and call that when you are sending in a "pass-phrase" unique to each user and do the work there. (i.e. find the userID / contactID and set that in the session)

ajax requests definitely would not want to reauthenticate and send in hash key etc


Well, for ajax requests, the problem is solved already: you don't send anything, and it uses your existing session (passed via cookie) to authenticate yourself

-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

cap10morgan

  • I post occasionally
  • **
  • Posts: 56
  • Karma: 9
Re: rest.php interface: a few questions/rant
November 12, 2008, 11:05:33 am
The standalone implementation is already sorely in need of a different way to authenticate for REST calls. Using an OpenID for machine-to-machine auth seems rather cumbersome (standalone uses OpenID for regular user auth).

It sounds like the direction you all are headed in will help here, but wanted to put this on your radar screen too. I'm happy to help if standalone isn't something you're particularly interested in.

I love the move towards statelessness, but what about the other aspects of REST? Namely, making everything a resource and then operating on those resources via GET, PUT, POST, DELETE HTTP verbs? Would be great to see that happen and then have CiviCRM's web interface be the flagship client for it (but not the only one).

With that in place, we could get the various front-ends (standalone, Drupal module, Joomla! module, XML / JSON feeds) to use a common REST interface for interacting with the back-end of the system. Then we fully document that REST API, keep it pretty stable across minor revisions, and voila, CiviCRM the platform is born. :)

acrosman

  • Guest
Re: rest.php interface: a few questions/rant
November 12, 2008, 11:52:40 am
I had wondered how the standalone was doing authentication...

So I'm back to asking:  Lobo, what would it take to get a field in the database to store some kind of secret-key for the REST interface to use? 

It also suggests that we still might want the "both" authentication scheme I mentioned yesterday.  The PHPSESSIONID can replace the old, duplicate key for authenticated sessions, but for a stateless/non-authenticated sessions we'll need to a key of some kind (32 random alphanumeric characters?).

Aaron

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: rest.php interface: a few questions/rant
November 12, 2008, 01:02:42 pm
Quote from: acrosman on November 12, 2008, 11:52:40 am
So I'm back to asking:  Lobo, what would it take to get a field in the database to store some kind of secret-key for the REST interface to use? 

we can do this for 2.2. We prefer not to change the schema once a release happens (i.e. lets not do this in 2.1)

should we call it secret_key and make it varchar(32)?

lobo
« Last Edit: November 12, 2008, 01:06:05 pm by Donald Lobo »
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: rest.php interface: a few questions/rant
November 13, 2008, 03:41:31 am
Hi,

See my suggestion for a file based permanent key authentication authorization_keys based (cf below on this thread).

I really think it should be offered to a small handful of users, and modifying a file is good enough for the profile of the users that will need it... beside being a tad easier to develop ;)

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

acrosman

  • Guest
Re: rest.php interface: a few questions/rant
November 13, 2008, 07:23:48 am
I would much rather see the field be in the database.  This would allow us to easily add a way to modify the field in the user interface (have a display field, and a regenerate button).  I'm not sure that it will make development significantly harder, and it seems more consistent and cleaner to me.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: rest.php interface: a few questions/rant
November 13, 2008, 10:16:05 am
let me reiterate for the last time:
Everyone having the key will get access, for as long as no one changes the key.
Based on my experience with ssh, no one bothers managing the keys, I still have access on servers I shouldn't, and most probably people still have access on mines they shouldn't.

If you add the key at the contact level (still not clear what a contact not linked to a user should get access to), you happily multiply the risks. add on that a lot of "admin level" users that won't understand the security implications of that strange and meaninless string, and you will have compromised systems.

Nearly all users hardly bother changing their password, even after they have shared their access. A key is like a cleartext password, I just have to take a snapshot/intercept a screen containing it and I get access to your machine. The less these things exists, and the less often they are visible, the better I'd be.

On my installs, i'd really wouldn't want to have more than one key per other server accessing me. In most installations, that's going to be zero, and on some I might go as high as one, might be two on my demo, but I'd doubt I'll get any higher than that.

Whatever you do, I'd strongly suggest to have at list a whitelist system, that will keep out the keys beside the ones of the users I want. the authorized_keys.php has that function, beside defining the keys as well.

This being said, Lobo or Dave, whatever your last word will do for me, I think we've all expressed our opinion, that's your call ;)

X+
« Last Edit: November 13, 2008, 10:20:41 am by xavier »
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

acrosman

  • Guest
Re: rest.php interface: a few questions/rant
November 13, 2008, 11:29:07 am
I agree that Lobo et al. have final say, and I'm happy to defer their experience/wisdom/autocratic rule. ;) 

Let me see if I understand what your suggesting because we are clearly talking at cross purposes here.
You are suggesting that we create a key that lives in a file someplace, that when connecting on a non-authenticated session you would have to provide as part of the query string (?q=civicrm/command&key=data_from_file).  Would you also then provide a username/password pair on every call as well  (?q=civicrm/command&key=data_from_file&user=UserName&password=Password)?  Am I understanding your suggestion correctly?

From how I see it, the long form of this is required to make it work smoothly over time (see discussion of security integration below), but it would be overkill without adding security to the connection. 

What I am proposing is that the User Framework be augmented to handle the extra field (not contacts that have no user).  Perhaps there is a good reason not to do this, and I certainly didn't explain it as carefully as I should have yesterday when I requested the field. The user would then provide one of two things on a call either a valid PHPSESSIONID (like your current patch provides), or a key that would allow authentication as the user (?q=civicrm/command&key=user_specific_key).

I think the security considerations here are offsetting.  On the one hand you're right, rarely to people manage user access correctly and placing the key in the interface does create a place it can be captured by an attacker.  However, the PHPSESSIONID is just as susceptible to MIM attacks and session hijacking if you run over an unencrypted connection.  If you're worried about someone picking off the key in this fashion, you need to be running an encrypted connection anyway.  And if you manage security badly, then you will do that with a shared key or user-specific key, I don't really see an advantage here either way.

The advantages of the individual keys as I see them are that is makes integration into the security system easier and makes the user experience better.  It also avoids us from having to have another file that people have to know exists (or can exist) and maintain.

Having a key per user allows us to run the API within the security system of CiviCRM, instead of having to bolt-on special controls for key-based usage. It could allow us to honor ACLs (even if we don't at first) and other forms of controlling access. Going with a shared key also makes me feel like we're talking about adding challenges later when ACLs are changed, or other new forms of access control are added.

It also allows to continue to control access rights in one place, not two.  I think there is a risk with a file-based key that we could open some users up to thinking they have cut access off, only to discover that there is a backdoor they forgot existed.

I'm all for a whitelist, but how the heck do we manage it in a user friendly way?

Aaron

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: rest.php interface: a few questions/rant
November 13, 2008, 11:36:47 am
Hi,

Good point. In my mind, it's a replacement of the user+password, not an aditionnal parameters. I really really don't like having my password on a get string, even less on every on them.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: rest.php interface: a few questions/rant
November 13, 2008, 11:57:06 am

(ok, i had typed in a response before the last two messages came in, so am now reevaluating :)

so the latest suggestion that all api calls are of the form:

?q=civicrm/command&key=SOME_SECRET_KEY

and then the code does a db lookup to find the contactID that matches the KEY and ensure there is a userID before doing the operation?

I initially agreed with xavier and wanted to keep things simple and file based, but I've changed my position and now agree with aaron :) Doing it at the contact level to begin with allows us to have more options down the road. its not a bit change (from a db/code perspective), and can accomodate xaviers case very easily (i.e. the admin sets the key for only one specific contact). I think since this key is so special, we can keep the interface separate from the contact edit screen

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: rest.php interface: a few questions/rant
November 13, 2008, 12:57:17 pm
Quote
?q=civicrm/command&key=SOME_SECRET_KEY

I'd say that's civicrm/entity/action

(it would imply using civicrm/user/login instead of civicrm/login)

While we are at it, can't we change and have two separate parameters and drop the civicrm ?
entity=XXX&action=ZZZ

and (from a drupal point of view at least) having a shorter url than example.org/sites/all/modules/all/civicrm/extern/rest.php

i'd go for
example.org/rest/entity/action

eg.
example.org/rest/contact/search?q=searchstring
example.org/rest/group/group_contact/add?contact_id=4&group_id=6

You will note that it's almost the syntax we went for in the doc anyway ;)
http://wiki.civicrm.org/confluence/display/CRM/REST+interface

Quote
and then the code does a db lookup to find the contactID that matches the KEY and ensure there is a userID before doing the operation?

What's the point of the intermediate key->contact->user instead of key->user

Quote
Doing it at the contact level to begin with allows us to have more options down the road. its not a bit change (from a db/code perspective), and can accomodate xaviers case very easily (i.e. the admin sets the key for only one specific contact). I think since this key is so special, we can keep the interface separate from the contact edit screen

The key is conceptually to a user, not to a contact. IMO it's a separate table (authorized_users{key,userid}) or a field of the user table (I don't have anything against databases, but I don't think the key is an attribute of a contact, but of a user).

This being said, as long as long that only a few users (oops, contacts;) got an associated key, that's fine for me.

Could someone enlight me on how it works for the standalone version ? Are the rights already set at the contact level and how do the openid association works (ie. if I add an openid to a contact, does it automatically grants her an access ?)
X+
« Last Edit: November 13, 2008, 01:08:48 pm by xavier »
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

dalin

  • I post occasionally
  • **
  • Posts: 89
  • Karma: 8
  • CiviCRM version: many
  • CMS version: Drupal 6
  • MySQL version: 5.0
  • PHP version: 5.2
Re: rest.php interface: a few questions/rant
November 18, 2008, 05:15:33 pm
Quote
With that in place, we could get the various front-ends (standalone, Drupal module, Joomla! module, XML / JSON feeds) to use a common REST interface for interacting with the back-end of the system. Then we fully document that REST API, keep it pretty stable across minor revisions, and voila, CiviCRM the platform is born.

I'm not too fond of this idea.  Someone correct me if I'm misunderstanding.  The above implies that when civicrm_hook_user() gets fired it would perform an HTTP request to the REST interface instead of directly calling other CiviCRM functions.  This would mean that every time a user submits a registration form, a user edit form etc. a second HTTP request is made.  This would be a considerable hit for some of our bigger high traffic sites.  Especially when doing any sort of bulk operations on users.

I can see the benefit of autocomplete forms etc. using the REST interface, but not for other front-end activity. 

Quote
example.org/rest/entity/action

I would prefer example.org/civicrm/rest/entity/action to avoid namespace collisions.  After all, the REST API is only for CiviCRM and not for all of example.org.

Quote
What's the point of the intermediate key->contact->user instead of key->user

Because CiviCRM calculates ACL both on the user level and the contact level.  A REST API should respect both.  An autocomplete form should not return information that the current contact doesn't have access to (due to CiviCRM's internal contact level ACL).  And so that a user who no longer has access to CiviCRM (via the "Access CiviCRM" user permission) doesn't have an open backdoor via the REST API. 


--
Dave Hansen-Lange
Web Developer
Advomatic LLC
http://advomatic.com
Hong Kong office

Pages: 1 [2] 3
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • rest.php interface: a few questions/rant

This forum was archived on 2017-11-26.