nada icon indicating copy to clipboard operation
nada copied to clipboard
verified publisher icon ihsn

Some functions of the web app depends on the API and stop working when API is disabled

Open Obyka opened this issue 2 years ago • 2 comments

Hello, Since it's now possible to disable the API in the settings, it arises some issues. For example, it is not possible to upload or delete a study thumbnail in the administration section because the routes are in the API scope.

POST /api/datasets/thumbnail/[filename]
POST /api/datasets/thumbnail_delete/[filename]

Is there a way to keep the API disabled while the thumbnail edition/removal works ?

P.S. there may be more instances of /api/* in webapp, we would be glad to report them if we spot them.

Obyka avatar Nov 06 '23 14:11 Obyka

We have a few more places such as the "Metadata" edit page that use the API. It would help figure out a better solution if you could describe your use case for disabling the API.

mah0001 avatar Nov 09 '23 02:11 mah0001

Our goal is to reduce attack surface on our NADA instance. Since we don't have the resources to pentest the API, we prefer to disable it solely since we're not using it yet. Only the web interface will be used.

Is there a way to replace API route with web route or should we temporarily keep thoses routes enabled ?

Obyka avatar Nov 09 '23 09:11 Obyka