Skip to content

Tighten legacy v1 API boundaries#3015

Open
e-q wants to merge 3 commits into
python:mainfrom
e-q:legacy-v1-api-boundaries
Open

Tighten legacy v1 API boundaries#3015
e-q wants to merge 3 commits into
python:mainfrom
e-q:legacy-v1-api-boundaries

Conversation

@e-q
Copy link
Copy Markdown

@e-q e-q commented Jun 2, 2026

Description

  • Treat v1 API requests without API-key credentials as anonymous API requests.
  • Require active staff API-key authentication for v1 write operations.
  • Accept v1 API-key credentials only through the Authorization header.
  • Narrow legacy v1 collection methods while preserving release-file replacement
    only when scoped to exactly one release value.
  • Add focused Tastypie and v1 downloads API regression coverage for
    authentication, credential source, and collection-method boundaries.

Testing

  • Focused Tastypie and v1 downloads API regression tests: passed.
  • Focused Ruff lint and format checks on touched files: passed.
  • Whitespace check: passed.

@e-q
Tighten legacy v1 API boundaries
a273e7f 
Require unsafe v1 requests to authenticate with active staff API keys
provided through the Authorization header.

Limit collection DELETE methods to the endpoints that intentionally support
them, and keep release-file replacement scoped to exactly one release value.
Add Tastypie regression coverage for authentication, credential source, and
collection-method boundaries.
@e-q e-q requested a review from JacobCoffee as a code owner June 2, 2026 18:21
sethmlarson
sethmlarson suggested changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Some comments and questions:

Comment thread pydotorg/resources.py
Comment thread pydotorg/resources.py Outdated
Comment thread pydotorg/resources.py Outdated
Comment thread pydotorg/resources.py Outdated
Comment thread pydotorg/tests/test_resources.py Outdated
Comment thread apps/downloads/api.py
@e-q
Address v1 API review feedback
2b9cce7 
Validate ApiKey Authorization payloads before splitting credentials.

Clarify the staff API-key authorization marker and simplify legacy credential source checks.

Add regression coverage for malformed ApiKey headers.
sethmlarson
sethmlarson approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All my comments have been resolved, LGTM. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JacobCoffee JacobCoffee Awaiting requested review from JacobCoffee JacobCoffee is a code owner

1 more reviewer

@sethmlarson sethmlarson sethmlarson approved these changes

Reviewers whose approvals may not affect merge requirements

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@e-q @sethmlarson