API: View data in dataverse only works with authenticated user key even on public dv. Needs doc or change. #1809
Comments
|
We had discuss this under the "should guest user have an API key" subject. The decision was that all APIs require API key an thus a registered user of some sort. Technically, it would be very easy to just return guest user if no API key is provided, and take it from there. |
|
Without an API key you can use the Search API, the Data Access API, the "meta" API (used by TwoRavens), and probably others, as I mentioned in a recent comment on a Google Doc. For the Search API I'm using GuestUser until I get around to finishing #1299 |
|
I'm sure requiring API keys/tokens will prevent potential collaborators from even trying out our APIs. They'll see "API token required. Please sign up." If they bother to try to sign up they'll see "give us your email address." Some will do this. Many will stop being interested in our APIs. I prefer the GitHub model where they let you use their APIs without sign up but they rate-limit you. It's much friendlier to potential collaborators. |
|
For 4.0 we will block. Opened issue #1838 for future consideration of opening. |
|
Passing to @pdurbin to add token logic to search. |
|
As @scolapasta and I discussed, since we're not supporting public search until #1299 we'll require an API token for the Search API but then execute the search as the guest user. |
|
I just had another thought about the implications of requiring an API token for Saved Search. It will mean that my little proof of concept Android app at https://github.com/IQSS/dataverse-android will stop working because it (currently) doesn't do any authentication. My plan would be to have it make use of the new "retrieve your API token" endpoint developed in #1818. But who cares about my little Android app. There's more. From chatting with @landreev last night it came to my attention that we are considering also requiring an API token for downloading files. This adds friction for people who would like to download unrestricted published data. I'm reminded of the "Direct access to data via URL?" thread on our mailing list that began with this:
In the scenario where downloads required an API token, what would the script described above look like? Would it prompt you for your Dataverse username and password and then retrieve your API token, and then proceed to download the files? If the person trying to download the files with the script doesn't have a Dataverse account would it prompt you to create a local/builtin account? (Shibboleth accounts can only be created via a browser and likewise Shibboleth users can not retrieve their API token via the API.) Is this what we'll recommend to researchers who want to write scripts like the one described above? Even if their desire is to publish their files with the fewest restrictions possible? /cc @mcrosas @scolapasta @landreev @michbarsinai |
|
This issue about terms of use will not happen moving forward for datasets that have a CC0 and the data files are not restricted. Since there are several use cases to consider, let's make a final decision next week on the tokens for public APIs with @scolapasta @landreev @michbarsinai @pdurbin @kcondon (I do care about the Android app, but we also want to plan this well and safely! ) |
Of course, as predicted above, it no longer works. I opened a ticket to add the ability to retrieve one's API token: IQSS/dataverse-android#1 |
|
@scolapasta and @mcrosas I believe your intention is that even unrestricted published files should not be able to be downloaded without using an API token. Is that correct? I bring this up because I just pushed the latest code (e945eeb) to https://apitest.dataverse.org and I can still download files without any authentication: Please note that you can also download preview images with no authentication at https://apitest.dataverse.org/api/access/fileCardImage/12 for example. @mcrosas and @scolapasta is this what we want? I'm changing the status of this ticket to Critical. |
|
To be discussed with @scolapasta @pdurbin @landreev on Monday (4/6) |
|
Moved to review for release patch |
|
Left to solve: Download API needs to deal with Terms of Use (in cases that files are unrestricted) @landreev moved to 4.0.1 |
|
For 4.0.1 we'll block the API for these cases (wither for everybody, or everybody except data owners/curators ...) |
|
Reviewed this issue with @scolapasta who agrees that we can close it, and continue to track further development related to API's and token in the new issue he opened, Consider options for opening APIs without tokens #1838. |
The view data in dataverse works but only if you are an authenticated user and supply the key.
If the dataverse is unpublished, you need perms.
This is not mentioned in the doc but does indicate a key is needed on failure.
View data about the dataverse identified by $id. $id can be the id number of the dataverse, its alias, or the special value :root.
GET http://$SERVER/api/dataverses/$id
The text was updated successfully, but these errors were encountered: