FIX: Use MaxMind supplied permalinks to download MaxMind databases (#26847)

This commit switches `DiscourseIpInfo.mmdb_download` to use the permalinks supplied by MaxMind to download the MaxMind databases as specified in https://dev.maxmind.com/geoip/updating-databases#directly-downloading-databases which states: ``` To directly download databases, follow these steps: 1. In the "Download Links" column, click "Get Permalink(s)" for the desired database. 2. Copy the permalink(s) provided in the modal window. 3. Provide your account ID and your license key using Basic Authentication to authenticate. ``` Previously we are downloading from `https://download.maxmind.com/app/geoip_download` but this is not documented anyway on MaxMind's docs so this URL can in theory break in the future without warning. Therefore, we are taking a proactive approach to download the databases from MaxMind the recommended way instead of relying on a hidden URL. This old way of downloading the databases with only a license key will be deprecated in 3.3 and be removed in 3.4.
2025-05-23 21:11:13 +08:00 · 2024-05-09 15:11:56 +08:00
parent abb073b80a
commit 7079698cdf
7 changed files with 97 additions and 6 deletions
--- a/lib/discourse_ip_info.rb
+++ b/lib/discourse_ip_info.rb
@ -25,17 +25,34 @@ class DiscourseIpInfo
  end

  def self.mmdb_download(name)
+    extra_headers = {}
+
    url =
      if GlobalSetting.maxmind_mirror_url.present?
        File.join(GlobalSetting.maxmind_mirror_url, "#{name}.tar.gz").to_s
      else
-        if GlobalSetting.maxmind_license_key.blank?
-          STDERR.puts "MaxMind IP database updates require a license"
-          STDERR.puts "Please set DISCOURSE_MAXMIND_LICENSE_KEY to one you generated at https://www.maxmind.com"
+        license_key = GlobalSetting.maxmind_license_key
+
+        if license_key.blank?
+          STDERR.puts "MaxMind IP database download requires an account ID and a license key"
+          STDERR.puts "Please set DISCOURSE_MAXMIND_ACCOUNT_ID and DISCOURSE_MAXMIND_LICENSE_KEY. See https://meta.discourse.org/t/configure-maxmind-for-reverse-ip-lookups/173941 for more details."
          return
        end

-        "https://download.maxmind.com/app/geoip_download?license_key=#{GlobalSetting.maxmind_license_key}&edition_id=#{name}&suffix=tar.gz"
+        account_id = GlobalSetting.maxmind_account_id
+
+        if account_id.present?
+          extra_headers[
+            "Authorization"
+          ] = "Basic #{Base64.strict_encode64("#{account_id}:#{license_key}")}"
+
+          "https://download.maxmind.com/geoip/databases/#{name}/download?suffix=tar.gz"
+        else
+          # This URL is not documented by MaxMind, but it works but we don't know when it will stop working. Therefore,
+          # we are deprecating this in 3.3 and will remove it in 3.4. An admin dashboard warning has been added to inform
+          # site admins about this deprecation. See `ProblemCheck::MaxmindDbConfiguration` for more information.
+          "https://download.maxmind.com/app/geoip_download?license_key=#{license_key}&edition_id=#{name}&suffix=tar.gz"
+        end
      end

    gz_file =
@ -45,6 +62,7 @@ class DiscourseIpInfo
        tmp_file_name: "#{name}.gz",
        validate_uri: false,
        follow_redirect: true,
+        extra_headers:,
      )

    filename = File.basename(gz_file.path)