Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Update) Don't query database in filter api take 2 #4164

Merged
merged 3 commits into from
Oct 2, 2024
Merged

(Update) Don't query database in filter api take 2 #4164

merged 3 commits into from
Oct 2, 2024

Conversation

Roardom
Copy link

@Roardom Roardom commented Sep 15, 2024

Take 2 of #4131

@what-the-diff What The Diff
Copy link

what-the-diff bot commented Sep 15, 2024

PR Summary

  • Improved Torrent Search Result Handling
    Enhancements to Torrent filtering logic, with updated caching and pagination for better search result management.
  • Enriched Torrent Information
    Additional attributes like poster, genres, and metadata IDs incorporated for more comprehensive data on torrents.
  • Simplified Pagination
    Switched to a less complex pagination structure by implementing simplePaginateRaw for search results.
  • Expanded Search Capability
    Now, description, mediainfo, and bdinfo attributes included enhancing search indexing of torrents.
  • Better API Response
    Implemented a more comprehensive structure in JSON response, now featuring pagination links and meta information, improving API clarity.

@Roardom Roardom force-pushed the revert-api-torrent-resources branch from 9af515b to 3dad234 Compare September 22, 2024 09:23
@Roardom
Revert "revert: HDInnovations#4131"
b313751 
This reverts commit 1bd9fba.
@Roardom
fix: auth caching api between users
f8b31e2 
Don't cache rsskeys of users and provide the responses to other users.
@Roardom
fix: fix backwards compatibility of api datetime format
d9f834d 
The original format included microseconds as well.
@Roardom Roardom force-pushed the revert-api-torrent-resources branch from 05b01b4 to d9f834d Compare September 22, 2024 10:00
@Roardom Roardom marked this pull request as ready for review September 22, 2024 11:09
HDVinnie
HDVinnie approved these changes Sep 22, 2024
View reviewed changes
Copy link
Collaborator

@HDVinnie HDVinnie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed this twice now. Still worried lol. Can you review it again yourself as well @Roardom

@Roardom
Copy link
Author

Roardom commented Sep 22, 2024

The only sensitive info meilisearch stores is username for anon torrents, which is properly dealt with by return Anonymous for the uploader username if the anon flag is checked.

The only data being added to the return collection that isn't from meilisearch is the tmdb image url, the created_at date, and the route to torrents.show, which contains a numeric id parameter.

  • The tmdb image url function does not output any sensitive data.
  • The created_at date does not output any sensitive data
  • The torrents.show route does not output any sensitive data - the id is not considered senstive

The above only concerns the cached data. After the cached data is fetched from cache, it alters the data before sending as response (but does not alter the data in the cache). It adds sensitive info to the response, such as the rsskey, which itself provides access to the passkey via the magnet link or by downloading the torrent. This sensitive data is not cached. The sensitive data is sourced from the auth helper, and not through an existing (possibly incorrect) user object.

We were originally concerned about apikeys leaking through the pagination urls, but that doesn't seem to be the case since other users' apikeys are never cached.

@HDVinnie HDVinnie merged commit 64107b3 into HDInnovations:8.x.x Oct 2, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HDVinnie HDVinnie HDVinnie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Roardom @HDVinnie