SWORD: disable auth via username and password in favor of API key/token

[pdurbin]

Even though we've always required HTTPS for SWORD we have long recognized that it's suboptimal to have people pass their actual username and password to authenticate.

Now that we have API keys/tokens (#1293) we'd like to make their use required.

Obviously this is a big change and assuming it lands in 4.0 will be highlighted at the top of http://guides.dataverse.org/en/latest/api/sword.html#backward-incompatible-changes

[pdurbin]

As of c0f1980 we are no longer allowing authentication to SWORD via usernames and passwords. An API key/token is required.

I ran this by @rliebz and @axfelix yesterday and they seemed ok with the change: http://irclog.iq.harvard.edu/dataverse/2015-03-31#i_17668 . Heads up to @leeper about this.

I also updated the docs and emphasized that this is a backwards-incompatible change (for good reason, better security): http://guides.dataverse.org/en/latest/api/sword.html

I had to adjust the apitester code at IQSS/dataverse-apitester@1c7c2c1 to get the tests to continue to pass: https://build.hmdc.harvard.edu:8443/job/apitest.dataverse.org-apitester/28/

Passing to QA.

[leeper]

Thanks for the cc. Seems like a good idea to me, despite loss of backwards-compatibility.

[pdurbin]

You can now retrieve your API token via the API per #1818

We don't yet have a way to generate an API token through API using username/password but that ticket is #1935 . For now you must use the GUI: http://guides.dataverse.org/en/latest/user/account.html#generate-your-api-token

[leeper]

Are there now any places (in any of the APIs) where username and password are needed or is everything now done by API key?

[pdurbin]

@leeper I would not say that username and passwords are needed by the API since we're requiring API tokens now, but you can look up your API token like this:

https://apitest.dataverse.org/api/v1/builtin-users/spruce/api-token?password=spruce

This was developed in #1818.

In #1935 we've been asked to allow users to generate an API token with a username and password.

See also this related issue: IQSS/dataverse-client-python#16

[leeper]

Okay, thanks!

On Thu, Apr 30, 2015 at 3:46 PM, Philip Durbin [email protected]
wrote:

@leeper https://github.com/leeper I would not say that username and
passwords are needed by the API since we're requiring API tokens now,
but you can look up your API token like this:

https://apitest.dataverse.org/api/v1/builtin-users/spruce/api-token?password=spruce

This was developed in #1818
#1818.

In #1935 #1935 we've been asked
to allow users to generate an API token with a username and password.

See also this related issue: IQSS/dataverse-client-python#16
IQSS/dataverse-client-python#16

—
Reply to this email directly or view it on GitHub
#1823 (comment).