API Example (Python): User Dataset with multiple entire projects with merged

[nozomione]

Issue Number

Closes #1850

Stacked PR of #1868

Purpose/Implementation Notes

This PR adds a new API Example file demonstrating how to create, process, and download a User Dataset with multiple projects including merged objects.

Types of changes

• New feature (non-breaking change which adds functionality)

Functional tests

The implementation is tested vialoadlhost (*excluding processing API call for now).

Checklist

• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)
• Any dependent changes have been merged and published in downstream modules

Screenshots

N/A

In general, to fix clear-text logging of sensitive information you should avoid writing secrets (passwords, tokens, private keys, etc.) directly to logs. If logging is desired for debugging, you can instead log non-sensitive metadata (such as whether a token was loaded, its source, or a truncated/masked version) that does not allow reconstruction or misuse of the secret.

Here, the problematic code is the print("Using existing token", API_TOKEN) after loading the token from .token. The script does not need to reveal the token value; it only needs to acknowledge that an existing token is being used. The best fix that preserves behavior is to change this print to omit the token value and instead log a neutral message like "Using existing token from .token" or just "Using existing token.". No additional imports or methods are required; we just adjust the message at line 223 in api-examples/download-user-datasest-with-merged-objects.py to stop including API_TOKEN.

In general, to fix clear-text logging of sensitive information, remove the sensitive value from log messages or mask/redact it before logging. Logs should contain only what is necessary for observability (e.g., that an action occurred), not private identifiers.

Here, the only problematic usage is in the print(f"Fetching token with {API_TOKEN_EMAIL}") statement. The best fix that preserves functionality is to change the log message so that it no longer includes the email address at all. The script only needs to inform the user that it is fetching a token; including the email is not required for the code to work or for debugging. So we should replace that line with a generic message such as print("Fetching token") or, if you want a hint that user configuration is involved, something like print("Fetching token using configured email") without interpolating the actual email value.

Concretely, in api-examples/download-user-datasest-with-merged-objects.py, around line 225 in the else branch where the token file does not yet exist, replace:

print(f"Fetching token with {API_TOKEN_EMAIL}")

with a version that omits API_TOKEN_EMAIL, e.g.:

print("Fetching token")

No new methods or imports are needed; this is a straightforward change to the log message.

In general, to fix clear‑text logging of sensitive information, you should prevent sensitive values (passwords, tokens, emails, etc.) from being included in log messages. This can be done by either removing the sensitive data from the message, masking/redacting it, or replacing it with a generic placeholder that preserves functionality (e.g., “your configured email”) without exposing the exact value.

For this specific case, the simplest and least disruptive fix is to change the print call on line 288 so that it no longer interpolates API_TOKEN_EMAIL. The functional behavior of the script is to inform the user that they should check their email for a notification; this purpose is satisfied without echoing the actual address. We can rephrase the message to something like: Check your email for the dataset download notification. or, if necessary, “Check the email address you configured for the dataset download notification.” This change requires editing only that single line; no new imports, methods, or definitions are needed.

Concretely:

• In api-examples/download-user-datasest-with-merged-objects.py, replace the print statement at line 288 to remove {API_TOKEN_EMAIL}.
• Keep all surrounding logic (dataset creation, etc.) unchanged.

[nozomione]

@davidsmejia , currently there are two implementation approaches included for the custom get_data method:

• Option 1: Use the projects endpoint only (Version 1: get_data)
  • Query a list of projects via request_api
  • Populate data locally using sample ID fields (e.g., modality_samples, multiplexed_samples) via get_data
• Option 2: Use both the projects and samples endpoints (Version 2: get_data_by_samples)
  • Query a list of projects to retrieve project IDs via request_api
  • Make a second request to the samples endpoint using the fetched project IDs to populate data via get_data ,which internally calls request_api

I'd like to hear your thoughts. Thank you, David!

UPDATE: Per discussion, these methods are no longer used and removed from the example.

[nozomione]

🗒️ The value of API_BASE will be updated to the production API and TODO will be removed before merging.

[nozomione]

I've applied your feedback and made the following changes to simplify the flows:

• Removed both get_data and get_data_by_samples and directly populate a data dictionary in the 2. Prepare Your Dataset section
• Removed the logic for multiplexed samples
• Removed variables for boolean flags (e.g., includes_merged, includes_bulk)

This PR is ready for another look. Thank you, David!