New Release v1.31.0 - #minor #503
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add content length check when validating external asset url. Add test cases.
…rnal_asset_href using GET range request instead of HEAD to check external asset reach…
Django is configured to use CSRF mitigation tokens. This only works for clients that are web browsers. Typical API clients are not web browsers, do not keep track of cookies and fail CSRF mitigation checks. The old token authentication method works around that by disabling CSRF mitigation when that authentication method is used. With this change, we do the same for the new token authentication method. In PB-1009 we implemented the new authentication method for the Admin UI. This change does the same for the API endpoints and add tests exercising it. The API endpoints are rest_framework views that rely on authentication methods defined by the REST framework which is different from the Admin UI authentication plumbing. To support both, we need to have modules for both even though they basically do the same thing. Specifically: * create `api_gateway_authentication` as `rest_framework` authentication module * create `api_gateway_middleware` as generic Django authentication module (for Admin UI) * abstract the common parts into a new `api_gateway` module * configure both authentication modules in the debug build * add tests exercising a PUT API endpoint for both v0.9 and v1, including CSRF checks This is all flag-guarded behind FEATURE_AUTH_ENABLE_APIGW.
PB-1366: make new auth work for write requests.
Add forecast properties to search filter for GET and POST. Refactor forecast:variable and forecast:perturbed descriptions into schema properties to be reused.
Add filters for forecast properties to search endpoints. Can filter for forecast_reference_datetime either by exact value or by a range.
Decided to remove the forecast parameters because the variable name differs to the post variable names (using underscore instead of colon) and colons need url encoding.
Decided to remove the forecast filtering options from the GET /search request due to colons in the parameter names. Also fixed the POST request body to actually use the parameters that contain a colon.
Fix code comments. Refactor create sample data names.
Add index for the item forecast properties as they can be used as filters in the item search.
Move models file into folder /models and rename file to general.py. Fix all imports that referenced the models file.
ltshb
reviewed
Jan 27, 2025
There was a problem hiding this comment.
Can existing user still access the admin page and API the way they use to do it ? Or do they need new credentials ? If they can't access anymore admin page and/or API with their current credentials I would create a major release (add #major in the PR title) and we need to do some coordination for the deployment.
Move collection related models into separate file. Move item related models into separate file. Fix import statements across all files.
The changes in this PR do not actually change the way authentication works. That will be done when the FEATURE_AUTH_ENABLE_APIGW flag is enabled (which happens at Kubernetes level). Even then, the old authentication mechanism keep working in the same way. Hence I believe this qualifies as a minor release. |
ltshb
approved these changes
Jan 27, 2025
PB-1169 Search forecast properties
boecklic
approved these changes
Jan 28, 2025
This also improves the existing documentation: * explain what session authentication is for; * point to relevant RFC for Basic authentication; * be more explicit about the old Token authentication; * add link from /get-token description to the Authentication section.
The [GitGuardian Bearer token detector](https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/generics/bearer_token) does not like it when we add a realistic-looking token. The documentation shows a few ways to make it ignore that token. In this change we use the dummy "123456" value. The previous token was a more realistic dummy but a dummy nonetheless. It has never been a valid token and could not be used to access anything.
This also removes documentation for the /get-token endpoint as it is only relevant for the old Token authentication method. The old authentication methods (Basic and Token) are only supported for v0.9. We do not update the v0.9 spec via the Makefile any more.
PB-1282: document the new authentication method.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The main purpose of this new release it to allow the new authentication method to be used in INT and PROD for PB-1284. This also includes changes required for PB-1372 "allow GET range request to check external asset href".