[Web API] Retrieve licenses in bulk

lindale · August 17, 2021, 7:40am

I would like to retrieve license details in bulk using their keys.

As far as I can tell, we have:

GET /v3/licenses : we can filter the list based on a license key using the key parameter, but my understanding is that we can only provide a single key. Is that right?
GET /v3/licenses/{id} : this can only be used to get a single license at a time.

I would like to avoid sending many requests, is there a way to do this in bulk?

ahmad-kemsan · August 17, 2021, 8:27am

Hi Lindale,

As of now, we do not support retrieving license details in bulk, But we are planning to do so by adding support for various operators in query parameters in a month or so.

lindale · August 17, 2021, 9:35am

This is great news! I’m looking forward to it

adnan-kamili · September 20, 2021, 10:32am

Hi,

We have added support for query operators, you can now do the following:

GET /v3/licenses?key[in]=key1,key2,key3

lindale · September 20, 2021, 12:23pm

That’s perfect, thanks a lot!

Is there a limit on the length of the query parameters?

adnan-kamili · September 20, 2021, 12:31pm

As such there is no limit. You can pass any number of license keys.

lindale · October 13, 2021, 3:01pm

I noticed that when calling GET /v3/licenses?key[in]= (empty key[in] param), all licenses are returned.

I wasn’t expected this, and noticed it by chance. I believe this could cause security issues, and I think it should return an empty array.

adnan-kamili · October 14, 2021, 5:21am

We ignore all the query params which are empty, hence [in] is ignored if you don’t pass any value. We can’t change this as this has been the default behaviour for all the query params even before we introduced query operators.

I guess it is not a security issue because anyone having access to the access token can anyways read all the licenses.

lindale · October 14, 2021, 7:28am

Indeed it’s not a direct security issue. But it’s easy to do something like that:

const licenses = await getRepository(License).find({
  where: { user: user }]
});

const licenseKeys = licenses.map(license => license.key);

const cryptlexLicenses = await httpClient.get(
  `https://api.cryptlex.com/v3/licenses?key[in]=${licenseKeys.join(',')}`
);

const formattedLicenses = cryptlexLicenses.map(license => formatLicense(license));

return res.json(formattedLicenses);

This would return all licenses if the user doesn’t have any.

You should at least explain this behavior in the docs. I think many people do not expect this.

adnan-kamili · October 14, 2021, 11:48am

Yes, it will cause the issue in your case. I guess you need to add a check if licenseKeys array is empty.

We will see how we can update our API docs to convey this behaviour.

lindale · October 14, 2021, 11:58am

Yes this is what we already do, the above is just an exemple. But we first implemented the check to avoid unnecessary requests. It’s just because I noticed the behavior by chance that I realised how important the check is, security-wise.