Add an API route for admins to assess crates #11528
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Connects to #10387. This API route, under `/private/` rather than `v1`, will make it a lot easier to assess whether crates contain useful functionality or are squatting. This is only the backend; some of the functionality described in the issue will be frontend-only, but I wanted to get the API in first. The API route will only return data if the currently authenticated user is an admin. This is important because the crate owner's verified email address is part of the returned data so that the admin can contact the owner if necessary. Another reason this route is limited to admins is that some of the queries may be slow.
Turbo87
approved these changes
Jul 6, 2025
| Path(username): Path<String>, | ||
| req: Parts, | ||
| ) -> AppResult<Json<AdminListResponse>> { | ||
| let mut conn = state.db_write().await?; |
There was a problem hiding this comment.
do we need the write access for this endpoint? I think it's read-only or am I missing something?
Comment on lines
+77
to
+86
| AdminCrateInfo { | ||
| name, | ||
| updated_at, | ||
| num_rev_deps, | ||
| num_versions: versions.map(|v| v.len()).unwrap_or(0), | ||
| crate_size: last_version.map(|v| v.crate_size).unwrap_or(0), | ||
| bin_names: last_version | ||
| .map(|v| v.bin_names.clone()) | ||
| .unwrap_or_default(), | ||
| } |
There was a problem hiding this comment.
based on the SQL query I'm usually running in these situations, I recommend to also include:
- crate description
- default version (could probably be included in the
let cratesquery) - crate yanked or not (same as default_version yanked or not)
- total crate downloads
| }) | ||
| .collect(); | ||
| Ok(Json(AdminListResponse { | ||
| user_email: verified.then_some(email).flatten(), |
There was a problem hiding this comment.
maybe we should have user_email and user_email_verified fields?
Comment on lines
+60
to
+69
| let versions: Vec<Version> = versions::table | ||
| .filter(versions::crate_id.eq_any(crate_ids)) | ||
| .select(Version::as_select()) | ||
| .load(&mut conn) | ||
| .await?; | ||
| let mut versions_by_crate_id: HashMap<i32, Vec<Version>> = HashMap::new(); | ||
| for version in versions { | ||
| let crate_versions = versions_by_crate_id.entry(version.crate_id).or_default(); | ||
| crate_versions.push(version); | ||
| } |
There was a problem hiding this comment.
if we use the default version instead of the last version then we only need the versions list for the "number of versions" field and that information is also available in the default_versions table. in other words it could be folded in the crates query above.
Turbo87
added
C-internal 🔧
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Connects to #10387.
This API route, under
/private/rather thanv1, will make it a lot easier to assess whether crates contain useful functionality or are squatting.This is only the backend; some of the functionality described in the issue will be frontend-only, but I wanted to get the API in first.
The API route will only return data if the currently authenticated user is an admin. This is important because the crate owner's verified email address is part of the returned data so that the admin can contact the owner if necessary.
Another reason this route is limited to admins is that some of the queries may be slow.