Project RSS feed

[azmeuk]

Partially implements #1130, possibly etags and if-modified-since headers are missing, but let's discuss this in #1130

This patch generates a feed for each project, with a dynamic secret part in the URL based on the existing Project.generate_token method. The generated feed passes the w3c validation

<title> and <description> can probably different, but the main data is here. Let me know what you prefer. Also, the content is simple enough so it does not need to be localized. If more information is needed and the feed content does need to be localized, maybe a lang variable can be added to the feed URL.

Maybe it worth adding an icon somewhere? Near the Invite button?
A firefox extension like awesome-rss automatically detects the feed on a project page, so I can live without it.

[Glandos]

As mentioned:

However in order to be able to do this, this would be needed to save the last update datetime for projects. This date would be updated at each bill addition/edition, and would be used to generate the ETag and Last-Modified headers.

We are using SQLAlchemy-continuum, so I guess that the last transaction is already accessible. But I don't have time to investigate it right now, it's just an idea.

[azmeuk]

I can look at this in another PR once this one is merged if it OK with you.

[azmeuk]

@Glandos any chance you might have some time to review this soon 🙏 ?
Do you have any questions about the implementation? If that can help, we can discuss on irc/matrix/whatever or have a call.

[almet]

Thanks for working on this. It's working the right way to me, as the generated URLs will be able to only access the RSS endpoint.

Before merging, we should IMO decide if we want to integrate etags and if-modified-since, so that what we have in the main branch is feature-complete.

I advocate for the integration of these two =)

[almet]

Maybe add "I Hate Money — " as a prefix here maybe, to make it obvious in the feed reader?

[azmeuk]

I am not sure this is needed. Most readers display the channel name somewhere. Often you can also click select channel to only see the items for that specific channel. Displaying I Hate Money feels redundant to me.

[almet]

I'm not sure I get it. Are you saying the channel name isn't coming from the <title>tag? If you only have the project name, how do you know it's coming from this software?

[azmeuk]

Ahh my bad. I though we were talking about the item title, and not the channel title. It makes sense, I fixed that.

[almet]

Maybe it worth adding an icon somewhere? Near the Invite button?

What about adding a link and a button in the settings of the project?

[azmeuk]

What about adding a link and a button in the settings of the project?

I added a RSS button next to the CSS and JSON. Not sure about the icon, I used a picture that was already there.

[almet]

Looks good to me, I added a few other comments after a second pass. Hope you don't mind too much.

Thanks again for the work on this. I'm curious what other people think about etags and so on.

[almet]

I'm not sure I get it. Are you saying the channel name isn't coming from the <title>tag? If you only have the project name, how do you know it's coming from this software?

[almet]

Well, actually it feels odd to me. You need to state that it's a feed with the latest bills from this project, maybe?

[azmeuk]

Looks good to me, I added a few other comments after a second pass. Hope you don't mind too much.

Not at all, I understand what maintainership is and why you may be careful.

I'm curious what other people think about etags and so on.

I'll look at this soon.

[azmeuk]

@almet to be able to return a 304 HTTP code, with etags/if-modified-since, we need to keep track of the last update datetime for a given project. I suppose this would mean to add a new column in the model, and update this whenever a bill is added/edited/deleted in the project.

Are you OK with that?

[almet]

@almet to be able to return a 304 HTTP code, with etags/if-modified-since, we need to keep track of the last update datetime for a given project. I suppose this would mean to add a new column in the model, and update this whenever a bill is added/edited/deleted in the project.

Are you OK with that?

As @Glandos noted earlier, we're using SQLAlchemy-continuum to version the changes, which should make things easier for us.

It took me some time to find out that the Transaction class has a issued_at property which might be useful for us here.

I'm not sure if we have to chose between ETag/If-None-Match and if-modified-since, or if we should do both of them? (seems redundant, but I guess it depends what's implemented in the clients?).

I advocate for using the easier one (unless there is something I don't get), which in this case seems to be if-modified-since.

[azmeuk]

Ok thank you for the tips I will look at that. I think both headers can be implemented at a cheap cost.

[azmeuk]

I just force-pushed the branch with the integration of the headers.

I added pytest-libfaketime as a dev dependency to mock datetimes. I chose this instead of freezegun because, as freezegun is pure python it would not correctly mock sqlalchemy datetimes, but libfaketime works on a lower level and is able to mock sqlalchemy issue_at attributes (at least without a heavy setup).
libfaketime does not look very active, but this is because it is mainly stable. I maintain the pytest plugin, and in the past the maintainer was welcoming to contributions, so that wouldn't worry me.

I use continuum to find the last datetime edition for a project, and handle if-modified-since, and then I use this date to build a etag to manage if-none-match.

I could not track bills edition that way though, but addition/deletion works fine.

[azmeuk]

I just realized that I forgot to send the etag and last-modified headers back. I need to fix that.

[azmeuk]

This is better now.

[zorun]

I really like the approach, thanks a lot for working on this!

I left some comments, I hope you don't mind adding a few more tests ;)

[zorun]

Please add a test that checks that we can't access another project with a "feed" token. Our first and only CVE was about unauthorized access by tweaking the project ID, so we definitely want to check that we don't introduce a similar issue for this new route (even if it's read-only).

Two cases are interesting: another project with the same private code, and another project with a different private code. Both should not allow access.

[azmeuk]

Done.

[zorun]

I was thinking of accessing the RSS feed of another project with the RSS token. Your new tests try to use the RSS token as an invite token, which is already well covered by test_invalid_invite_link_with_feed_token.

[azmeuk]

Ok that makes more sense 😅
I'll fix that.

[azmeuk]

This is fixed 👍

[almet]

LGTM!

[zorun]

Thanks for the changes, I still have a change request on the tests (testing we can't access other project's RSS feed), otherwise the rest looks good to me!

[zorun]

Nice work!

[almet]

Thanks again for the work on this. Yay!

[zorun]

@azmeuk we will do a release soon with this change (I just plan to finish the work on #1204 before that)