launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Colin Watson has proposed merging lp:~cjwatson/launchpad/who-cares-about-anonymous-consumer-keys into lp:launchpad.

Commit message:
Stop creating OAuthConsumer rows for anonymous webservice requests.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/who-cares-about-anonymous-consumer-keys/+merge/336864

This seems like as good a way as any to deal with the current test failures on devel.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/who-cares-about-anonymous-consumer-keys into lp:launchpad.

=== modified file 'lib/lp/services/webapp/servers.py'
--- lib/lp/services/webapp/servers.py	2018-01-25 12:45:47 +0000
+++ lib/lp/services/webapp/servers.py	2018-01-30 18:36:33 +0000
@@ -1284,18 +1284,13 @@
 
         if consumer is None:
             if anonymous_request:
-                # This is the first time anyone has tried to make an
-                # anonymous request using this consumer name (or user
-                # agent). Dynamically create the consumer.
-                #
-                # In the normal website this wouldn't be possible
-                # because GET requests have their transactions rolled
-                # back. But webservice requests always have their
-                # transactions committed so that we can keep track of
-                # the OAuth nonces and prevent replay attacks.
+                # Require a consumer key (or user agent) to be present, so
+                # that we can apply throttling if necessary.  But webservice
+                # GET requests have their transactions rolled back, and at
+                # the moment we don't do anything with the consumer in this
+                # case, so there's no point dynamically creating a consumer.
                 if consumer_key == '' or consumer_key is None:
                     raise TokenException("No consumer key specified.")
-                consumer = consumers.new(consumer_key, '')
             else:
                 # An unknown consumer can never make a non-anonymous
                 # request, because access tokens are registered with a

=== modified file 'lib/lp/services/webservice/stories/xx-service.txt'
--- lib/lp/services/webservice/stories/xx-service.txt	2016-09-21 02:50:41 +0000
+++ lib/lp/services/webservice/stories/xx-service.txt	2018-01-30 18:36:33 +0000
@@ -76,13 +76,6 @@
     >>> print response.getheader('status')
     200 Ok
 
-Launchpad automatically adds new consumer keys it sees to its database.
-
-    >>> login(ANONYMOUS)
-    >>> print consumer_set.getByKey(u'another-new-consumer').key
-    another-new-consumer
-    >>> logout()
-
 Anonymous requests can't access certain data.
 
     >>> response = anon_webservice.get(body['me_link'])
@@ -129,23 +122,6 @@
     ...
     {...}
 
-Here, too, the OAuth consumer name is automatically registered if it
-doesn't exist.
-
-    >>> login(ANONYMOUS)
-    >>> print consumer_set.getByKey(agent).key
-    unsigned-user-agent
-    >>> logout()
-
-Here's another request now that the User-Agent has been registered as
-a consumer name.
-
-    >>> response = request_with_user_agent(agent)
-    >>> print response.getOutput()
-    HTTP/1.1 200 Ok
-    ...
-    {...}
-
 An unsigned request, like a request signed with the empty string,
 isn't logged in as any particular user: