cartodb4
/
cartodb-4.42
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3b68e6495d'
${ noResults }
cartodb-4.42/doc/api.md

1.5 KiB
Raw Blame History

API access control for CartoDB

There are 3 main API:

  1. SQL API
  2. REST API (internal use mainly)
  3. Map tiles API

Currently, CartoDB has problems with a non-standard OAuth implementation and a semi-implemented API-KEY authentication method

We propose:

  1. standardising the Data API (SQL + REST) on plain OAuth.
  2. Reusing the API-KEY for the Map tiles API as a 'Map Key'

Standardising the Data API on plain OAuth

  • Remove API-KEY access method from all API and authenticate methods (warden.rb)
  • Update filter for access_token to store all keys in Redis: consumer, request & access
  • Implement full OAuth checking (eg check headers and signature) in the SQL API
  • Add automatic generation of OAuth access tokens on the users API page if that's all they want. (User just needs consumer and access tokens to properly sign an OAuth request).
  • Update all libraries to take the real OAuth change into account

Converting the API-KEY to Map Key

  • Rename ApiKey model and tests to MapKey
  • update provisioning in client_application.rb.
  • update views to show map key, not ApiKey
  • store ApiKey and domain in redis and count tiles served by tiler
  • in node mapper app check request headers Referer:http://blah/ for to ensure requst is made from a map hosted on a legit domain (or at least record it somewhere?)
  • auto make a MAPKey on user creation
  • update map tiles JS to use mapkey