Add pusher_id to /api/v1/:gem/versions/:version #3765
Conversation
| @@ -281,6 +281,7 @@ def downloads_count | |||
| def payload | |||
| { | |||
| "authors" => authors, | |||
| "pusher_id" => pusher_id, | |||
There was a problem hiding this comment.
do we include raw IDs elsewhere in API responses? Would this make more sense to embed "pusher" => @pusher&.payload or something like that?
There was a problem hiding this comment.
🤔 Interesting - I definitely would prefer that we have more data on the user (at least what's exposed on the RubyGems gem page right now), but I wasn't sure what information the team would like to expose, since we currently don't include any user fields. Do you have any opinions on that front?
There was a problem hiding this comment.
Yes, raw ID is already at profiles API like https://rubygems.org/api/v1/profiles/simi.json and it accepts ID as well https://rubygems.org/api/v1/profiles/42601.json.
Codecov Report
@@ Coverage Diff @@
## master #3765 +/- ##
=======================================
Coverage 98.80% 98.81%
=======================================
Files 212 213 +1
Lines 5198 5223 +25
=======================================
+ Hits 5136 5161 +25
Misses 62 62
|
|
Is this related to V2 versions as well aka https://rubygems.org/api/v2/rubygems/coulda/versions/0.7.1.json? Would it be possible to add also some assertions to related API tests? |
|
Would it be possible to open PR also to update API docs payloads at https://github.com/rubygems/guides/? |
|
@JackMcDataGrail hello! Are you still interested in moving this forward? |
Summary
As part of my research into gem supply chain security I would like to access the
pusher_idfield on theVersionmodel via the API. This field is useful as it is a non-forgeable record of which user pushed the gem.Risks
I don't believe this presents additional security or operational risk that did not already exist. User IDs are, for the most part, opaque in RubyGems. This information is already present on the gem page, as shown below.