Add hashed user id field to API, for apps that have an app user id

[stephanegigandet]

What

• A few apps that use one OFF account for writes send us some kinds of hashed identifiers of users.
• This is useful when there are problematic edits, as we can find the other edits of the same user.
• Today we do not have a dedicated field for this, and instead we use the comments field, which is parsed in different ways depending on the app.
• We could add a hashed_user_id field in the API, to record it in the change history.

Part of

• 🧽 Data quality (tracker) #5538

[naivekook]

idea is good!
should we consider adding header hashed_user_id instead of API field?
it will allow to bind all requests from app to a dedicated user without changing all models

[stephanegigandet]

I would find it very odd that have one field sent as a HTTP header whereas all the other fields are sent as request parameters. The simpler the API, the better I think.

[hangy]

This is only useful in combination where the contribution is made by ie. kiliweb in behalf of another user, right? In that case, calling it a "hashed" ID might be misleading, because the app might just be sending some kind of UUID, not a hash. Maybe call it an external_user_id and only allow it to be set if the original contributor is a specific known app account?

[naivekook]

totally, if we want just to know which user was last who edit the product then request parameters it the best
I just think what if we want to track other queries too? with a header, we can see the full history of queries from dedicated users like "created product -> search another product -> edit another product -> created screenshot -> etc."

btw I'm a mobile engineer so don't rely on my server knowledge a lot 😅

[stephanegigandet]

@hangy : I wanted to make it explicit that we don't want apps to send us actual usernames (e.g. "stephanegigandet") that their users may have. Because they will be accessible, probably be indexed in search engines etc. I like the external_ prefix though. Maybe external_user_hashed_id or something? or external_user_uuid ? (and then ask apps to generate a valid uuid, even if we don't enforce it).