Skip to content

GET /object: allow no-auth access#312

Merged
norrisng-bc merged 1 commit intomasterfrom
feature/get-public-objects-no-auth
Aug 12, 2025
Merged

GET /object: allow no-auth access#312
norrisng-bc merged 1 commit intomasterfrom
feature/get-public-objects-no-auth

Conversation

@norrisng-bc
Copy link
Contributor

@norrisng-bc norrisng-bc commented Jul 18, 2025
edited
Loading

Description

The GET /object (search objects) endpoint can now be accessed without authentication, but with the following restrictions:

  • A bucketId or objectId (or both) must be specified
  • Only a subset of all the available parameters are available: bucketId, objectId, public, page, limit, sort
  • The public parameter must be set to true
  • Potentially sensitive fields (path, createdBy, updatedBy, lastSyncedDate) are redacted in the response

Non-authenticated requests without the above will result in a HTTP 403.

This is in preparation for the upcoming "public folders" feature.

Tests to follow in separate PR. DO NOT DEPLOY TO PROD!

https://apps.nrs.gov.bc.ca/int/jira/browse/SHOWCASE-3969

Types of changes

New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING doc
  • I have checked that unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

Tests will be added in a later PR due to time constraints.

This PR is meant to be deployed to DEV and/or TEST only, in order to provide a demo-able minimum viable product and facilitate BCBox testing.

@github-actions
Copy link

github-actions bot commented Jul 18, 2025
edited
Loading

Coverage Report

Totals Coverage
Statements: 55.33% ( 3057 / 5525 )
Methods: 45.67% ( 332 / 727 )
Lines: 61.97% ( 1833 / 2958 )
Branches: 48.48% ( 892 / 1840 )

@norrisng-bc norrisng-bc force-pushed the feature/get-public-objects-no-auth branch from 63a8aaf to a66841b Compare July 29, 2025 00:10
@norrisng-bc norrisng-bc force-pushed the feature/get-public-objects-no-auth branch 2 times, most recently from 1d87f6a to 359cdaf Compare August 7, 2025 19:07
@norrisng-bc norrisng-bc marked this pull request as ready for review August 7, 2025 19:12
@norrisng-bc norrisng-bc force-pushed the feature/get-public-objects-no-auth branch from 359cdaf to 70f3484 Compare August 7, 2025 19:15
@jatindersingh93
Copy link
Contributor

jatindersingh93 commented Aug 7, 2025

this need a re-base

@norrisng-bc
GET /object: allow no-auth access
2aedd38 
When no-auth, forbid search params beyond the bare minimum (limit/order/page/sort is still allowed though) and redact potentially sensitive response fields (path, createdBy, updatedBy, lastSyncedDate)
@norrisng-bc norrisng-bc force-pushed the feature/get-public-objects-no-auth branch from 70f3484 to 2aedd38 Compare August 7, 2025 19:54
@norrisng-bc norrisng-bc merged commit c8a9d41 into master Aug 12, 2025
13 checks passed
@norrisng-bc norrisng-bc deleted the feature/get-public-objects-no-auth branch September 3, 2025 23:49
@norrisng-bc norrisng-bc mentioned this pull request Sep 4, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jatindersingh93 jatindersingh93 jatindersingh93 approved these changes

@TimCsaky TimCsaky Awaiting requested review from TimCsaky TimCsaky is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@norrisng-bc @jatindersingh93