Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anonymous user geneset building #46

Open
ravila4 opened this issue May 13, 2022 · 5 comments
Open

Anonymous user geneset building #46

ravila4 opened this issue May 13, 2022 · 5 comments
Labels
enhancement New feature or request

Comments

@ravila4
Copy link
Contributor

ravila4 commented May 13, 2022

Copied from biothings/mygeneset.info-website#30

Currently, the website's "Build" page allows users to build and download genesets while logged out. There is also a "Create" button that would allow the user to create an "anoymous" geneset in the database, but this feature is not implemented at the moment.

We need to decide whether we want to support these two Build/Download features, and may need to implement a few things to make this workflows smoother.

Downloading anonymous genesets - This is mostly working, and I think it's a good idea to keep.
One thing that could be improved is offloading some of the geneset creation code to the backend. The benefit would be that the data would match exactly what the database would record if the user was logged in. One way to do it is to allow unauthenticated POST requests with the --dry_run flag (This could also be useful for testing). In this case, to download a geneset we simply fetch the JSON from the response, and transform it to csv/tsv/gmx formats if needed.

Creating anonymous genesets - Not supported. Currently returns a 401 Unauthorized Error if user is not logged in.
If we don't plan to support it, we should remove the button for logged out users, and update the text under the Login page's "Use As Guest" section.
I'm open to discussion into reasons to support it, but I think we would have to address a few questions on the backend namely:

  1. If an anonymous user creates a geneset, who can edit/delete it? (Perhaps it could be temporary and auto-delete itself?)
  2. How to keep track of changes, and avoid conflicts? e.g. If two people edit the same geneset at the same time.

I'll duplicate this issue in the mygeneset backend repository, to track any changes it may require in the backend.

@ravila4
Copy link
Contributor Author

ravila4 commented Nov 10, 2022

Update: I have enabled creating anonymous public genesets. It may be beneficial to enforce XSRF cookies if we only want the approved frontend application to do this.

@ravila4
Copy link
Contributor Author

ravila4 commented Nov 11, 2022

Merged in: #64

@ravila4
Copy link
Contributor Author

ravila4 commented Nov 11, 2022

Some other important consideration regarding anonymous genesets:

  1. Rate limiting: We may want to limit POST and PUT requests to the /user_genesets endpoint to say, once per second.
  2. Deleting old anonymous genesets. Anonymous genesets could have a default expiration date of say, 1 month (but we could allow customization for shorter or slightly longer expiries). Anonymous genesets are intended to allow quick sharing or user testing of the application, but we want to encourage users to associate an account for long-term storage.

@ravila4
Copy link
Contributor Author

ravila4 commented Nov 13, 2022

I'm leaving this open for reference, in case we want to implement other security features.

@ravila4
Copy link
Contributor Author

ravila4 commented Nov 13, 2022

Note, we also previously discussed using XSRF cookies to prevent other websites/clients from writing anonymous genesets.
However, this would not prevent the automated writing/editing of genesets, which can still be easily done if the user logins with a browser and copies the value of the user_cookie.

Implementation of XSRF cookie protections

The code that I commented out here would enable XSRF cookie checks on anonymous POST requests to the user_geneset endpoint:
https://github.com/biothings/mygeneset.info/blob/master/src/web/handlers/api.py#L44-L49

Currently, the xsrf_token endpoint provides an html chunk that, when rendered by the frontend, should generate an xsrf_cookie. The problem is that if it is being rendered inside an iframe, the request may not be able to read the value of this cookie to submit as a custom HTTP header named X-XSRFToken. We need to check whether it can be accessed from the javascript code that makes the request: https://github.com/biothings/mygeneset.info-website/blob/main/src/api/genesets.ts#L127-L164

Tornado documentation: https://www.tornadoweb.org/en/stable/_modules/tornado/web.html#RequestHandler.check_xsrf_cookie

@ravila4 ravila4 added the enhancement New feature or request label Nov 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant