For example the diffusion.tagsquery method cannot be invoked without authentication, even though the logged-out user can access equivalent pages through the web interface. This encourages scraping, which consumes more server resources than a simple API call.
The class ConduitAPIMethod has the function shouldRequireAuthentication. Setting it to false on view-only API methods can allow public API access.
If I were starting today I would probably design the back-end APIs first, then make the web interface derive from those APIs, such that web requests and api requests are not really any different, at least with regard to enforcing access controls.
As it is currently, however, many of the conduit APIs are a bit hackish and not all on equal footing with the web interfaces that they mirror. In the case of tags it is probably safe to loosen the access controls on that conduit method if it's requiring a session universally.
I'm not sure that would do anything to discourage scraping though and the easy path to scrape that info would probably be via git instead of conduit.
There must be a function that allows Conduit methods to be used by logged-out users. It's just that there are hardly any methods using that function.
I think I just found it. But which is the right function: shouldAllowPublic or shouldRequireAuthentication?
I think I just found it. But which is the right function: shouldAllowPublic or shouldRequireAuthentication?
Probably shouldRequireAuthentication but I'm not sure why those both exist.