Changes to the API


(Seth Godin) #1

I hope this is in the right category.

We were using part of your API to onboard new students.

Right in the middle of the most recent signup cycle, it got turned off. No warning. So we disappointed dozens of people and spent a long time trying to figure out what we had done wrong.

I think it’s probably good practice to come up with a way of notifying subscribers of the road map ahead when it comes to something that’s going to break a process. And of course, to consider that changes, particularly in an API, can have real consequences.

Also fwiw, I’m told by Alex my creative director that the workaround no longer makes it easy for us to populate user names the way we had been doing it (forming more memorable and accurate names as we invite people in). Put me down as voting to get that feature back.

Thanks to @sam and @codinghorror for your leadership in all things Discourse, and to everyone who makes it sing and dance.

Seth


(Robin Ward) #2

First of all allow me to apologize for removing that API without notice.

In general we try to never remove APIs without warning customers first. What actually happened in this case is we had a high priority vulnerability reported to us involving those endpoints. When I searched the codebase I realized that they were not used by any forward facing functionality of Discourse, and after discussing it with the team who was around (It was a Friday night) we determined the best course of action was to protect our customers by disabling the endpoints right away.

I should have checked our server logs to make sure nobody was accessing it. I would have seen your recent activity and could have reached out to you before this happened.

We do have a workaround ready to go though. We’ve fixed the security hole and extracted that functionality into a plugin. We’re going to be deploying that plugin to your site shortly and @blake will reach out when it is deployed so you can resume using it. It should be within an hour.

Sorry again! We take security issues very seriously, and I took action too hastily here.


(Seth Godin) #3

thanks @eviltrout

we appreciate it.


(Blake Erickson) #4

The invite tokens plugin as been deployed to your site. Which will give you the exact same functionally as before along with the necessary security fixes. I’ll reach out to Alex and give him some additional instructions.


(Alex Peck) #5

Thanks @blake Just got your notes in DM. Much appreciated.