Add protected ability to request JSON results with token#353
Merged
matt-bernhardt merged 1 commit intomainfrom Feb 19, 2026
Merged
Add protected ability to request JSON results with token#353matt-bernhardt merged 1 commit intomainfrom
matt-bernhardt merged 1 commit intomainfrom
Conversation
Pull Request Test Coverage Report for Build 22199215526Details
💛 - Coveralls |
matt-bernhardt
force-pushed
the
rest-api
branch
2 times, most recently
from
c276758 to
1d93a19
Compare
matt-bernhardt
changed the title
JPrevost
commented
Feb 19, 2026
Member
Author
JPrevost
left a comment
JPrevost
left a comment
There was a problem hiding this comment.
Ha, I can't approve because I opened this initially.
@matt-bernhardt I approve this PR as-is. Feel free to approve it yourself (I think you should be able to) and then merge 
** Why are these changes being introduced: The application we are implementing to measure result relevance needs a JSON endpoint for getting search results. ** Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/use-400 ** How does this address that need: This adds an ability to serve search results in JSON format, leveraging Rails' built-in respond_to block. In order to make sure that we control access to this endpoint, we also add a before_action check to make sure that a requesting user agent supplies a token that matches a newly-created environment variable. If that environment variable is not set, or the received token does not match, the request for JSON formatted results will be denied with a 401 Unauthorized status. ** Document any side effects to this change: None, hopefully. We use the before_action check to prevent unnecessary resource use or computation, so hopefully that will help prevent our wasting energy on invalid requests.
matt-bernhardt
force-pushed
the
rest-api
branch
from
1d93a19 to
123a7e7
Compare
matt-bernhardt
approved these changes
Feb 19, 2026
Member
matt-bernhardt
left a comment
matt-bernhardt
left a comment
There was a problem hiding this comment.
Approving this after seeing the feedback from @JPrevost
jazairi
reviewed
Feb 19, 2026
Contributor
jazairi
left a comment
jazairi
left a comment
There was a problem hiding this comment.
Registering another approval, just for good measure. 🙂
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a JSON interface for Unified Search results, which is necessary for Quepid to communicate with the application. There may also be other consuming applications, so we are trying not to couple this work too tightly with Quepid.
In order to protect access to this new formatting option, we also define a
before_actioncheck, comparing an agent-provided token against a value stored in a new env variable. If the values match, the check passes and the request can be processed. We do this in the before_action step, because if the values don't match there's no reason to do any work in response to the request.The review app for this PR has been added as a search option within our Quepid instance, and there's a 1-term case defined that is showing that results are received. If you want to confirm that side of things, let me know and I'll create a user account for you.
Developer
Ticket: https://mitlibraries.atlassian.net/browse/USE-400
Accessibility
New ENV
Approval beyond code review
Additional context needed to review
E.g., if the PR includes updated dependencies and/or data
migration, or how to confirm the feature is working.
Code Reviewer
Code
added technical debt.
Documentation
(not just this pull request message).
Testing