mantidproject · MialLewis · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 30, 2026
diff --git a/blank.env b/blank.env
@@ -17,6 +17,9 @@ DB_PORT=5432
 SECRET_KEY=<Not Set>
 DB_USER=<Not Set>
 DB_PASS=<Not Set>
+DB_RO_USER=<Not Set>
+DB_RO_PASS=<Not Set>
+QUERY_SECRET_KEY=<Not Set>
 
 #Trusted origins for CSRF validation. For production usage only specify https://reports.mantidproject.org
 DJANGO_CSRF_TRUSTED_ORIGINS=http://localhost:8082,https://reports.a.staging-mantidproject.stfc.ac.uk
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,9 +10,6 @@ services:
       POSTGRES_USER: ${DB_USER}
       POSTGRES_PASSWORD: ${DB_PASS}
       POSTGRES_DB: ${DB_NAME}
-      DB_SERVICE: ${DB_SERVICE}
-      DB_PORT: ${DB_PORT}
-      SECRET_KEY: ${SECRET_KEY}
 
   adminer:
     image: adminer
@@ -34,12 +31,6 @@ services:
     depends_on:
       - postgres
     env_file: .env
-    environment:
-      DB_SERVICE: ${DB_SERVICE}
-      DB_PORT: ${DB_PORT}
-      SECRET_KEY: ${SECRET_KEY}
-      # Define this in .env for development mode. DO NOT USE IN PRODUCTION
-      DEBUG: ${DEBUG}
 
   nginx-reports:
     restart: always

diff --git a/nginx/confs/mantidreports.conf b/nginx/confs/mantidreports.conf
@@ -32,4 +32,23 @@ server {
         proxy_read_timeout         60s;
     }
 
+    set_real_ip_from 172.0.17.0/24;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+
+    location /api/query {
+        # allow ISIS VPN traffic
+        allow 130.246.0.0/16;
+        deny  all;
+
-
+# Rate limiting
+            limit_req zone=query_limit burst=10;
-
+# Rate limiting
+            limit_req zone=query_limit burst=10;
+        proxy_pass http://web:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_connect_timeout      60s;
+        proxy_send_timeout         60s;
+        proxy_read_timeout         60s;
-        proxy_connect_timeout      60s;
-        proxy_send_timeout         60s;
-        proxy_read_timeout         60s;
+        proxy_connect_timeout      30s;
+        proxy_send_timeout         30s;
+        proxy_read_timeout         30s;
-        proxy_connect_timeout      60s;
-        proxy_send_timeout         60s;
-        proxy_read_timeout         60s;
+        proxy_connect_timeout      30s;
+        proxy_send_timeout         30s;
+        proxy_read_timeout         30s;
+    }
 }
-}
+}
+}
-}
+}
+}
diff --git a/web/run_django.sh b/web/run_django.sh
@@ -8,7 +8,7 @@ python manage.py migrate --noinput
 
 # If running in DEBUG mode add debug logging to gunicorn
 if [ -n "${DEBUG}" ]; then
-  DEBUG_ARGS="--log-level debug --capture-output"
+  DEBUG_ARGS="--log-level debug --capture-output --reload"
 else
   DEBUG_ARGS=
 fi

diff --git a/web/services/urls.py b/web/services/urls.py
@@ -17,6 +17,7 @@
     path("by/user", views.usage_by_users, name="by-users"),
     path("host", views.host_list, name="host-list"),
     path("user", views.user_list, name="user-list"),
+    path("query", views.query, name="query"),
     # url(r'feature', views.feature_usage, name='feature_usage'),
 ]
 

diff --git a/web/services/views.py b/web/services/views.py
@@ -15,10 +15,13 @@
 import django_filters
 from rest_framework.reverse import reverse
 from django.http import HttpResponse
+from django.db import connections
+
 import json
 import datetime
 import hashlib
 import services.plots as plotsfile
+from os import environ
 
 OS_NAMES = ["Linux", "Windows NT", "Darwin"]
 UTC = datetime.tzinfo("UTC")
@@ -328,6 +331,47 @@ def by_root(request, format=None):
     )
 
 
+@api_view(("POST",))
+def query(request, format=None):
+    if not verify_token(request):
+        return response.Response(status=401, data="UNAUTHORIZED")
-        return response.Response(status=401, data="UNAUTHORIZED")
+        return response.Response(status=status.HTTP_401_UNAUTHORIZED, data="UNAUTHORIZED")
-        return response.Response(status=401, data="UNAUTHORIZED")
+        return response.Response(status=status.HTTP_401_UNAUTHORIZED, data="UNAUTHORIZED")
+    sql_err, sql = get_parameter(request, "sql")
+    if sql_err:
+        return response.Response(status=400, data=f"Invalid Parameters: {sql_err}")
+    conn = connections["readonly"]
+    with conn.cursor() as cur:
+        cur.execute(sql)
+        res = cur.fetchall()
+    return response.Response(res)
-    if sql_err:
-        return response.Response(status=400, data=f"Invalid Parameters: {sql_err}")
-    conn = connections["readonly"]
-    with conn.cursor() as cur:
-        cur.execute(sql)
-        res = cur.fetchall()
-    return response.Response(res)
+    if sql_err:
+        return response.Response(status=status.HTTP_400_BAD_REQUEST, data=f"Invalid Parameters: {sql_err}")
+        try:
+            conn = connections["readonly"]
+            with conn.cursor() as cur:
+                cur.execute(sql)
+                res = cur.fetchall()
+        except Exception:
+            return Response({"error": "Query failed"}, status=status.HTTP_400_BAD_REQUEST)
+         
+    return response.Response(res)
-    if sql_err:
-        return response.Response(status=400, data=f"Invalid Parameters: {sql_err}")
-    conn = connections["readonly"]
-    with conn.cursor() as cur:
-        cur.execute(sql)
-        res = cur.fetchall()
-    return response.Response(res)
+    if sql_err:
+        return response.Response(status=status.HTTP_400_BAD_REQUEST, data=f"Invalid Parameters: {sql_err}")
+        try:
+            conn = connections["readonly"]
+            with conn.cursor() as cur:
+                cur.execute(sql)
+                res = cur.fetchall()
+        except Exception:
+            return Response({"error": "Query failed"}, status=status.HTTP_400_BAD_REQUEST)
+         
+    return response.Response(res)
+
+
+def get_bearer_token(request):
+    """
+    Expect: Authorization: Bearer <token>
+    """
+    auth = request.headers.get("Authorization", "")
+    if not auth:
+        return None
+    parts = auth.split(None, 1)  # ["Bearer", "<token>"]
+    if len(parts) != 2 or parts[0].lower() != "bearer":
+        return None
+    return parts[1].strip() or None
+
+
+def get_parameter(request, param):
+    val = request.POST.get(param)
+    err = ""
+    if not val:
+        err = f"No {param} parameter provided"
+    return err, val
-    return err, val
+def get_parameter(request, param):
+    val = request.POST.get(param)
+    if val is None or val.strip() == "":
+        return f"No {param} parameter provided", None
+    return None, val
-    return err, val
+def get_parameter(request, param):
+    val = request.POST.get(param)
+    if val is None or val.strip() == "":
+        return f"No {param} parameter provided", None
+    return None, val
+
+
+def verify_token(request) -> bool:
+    token = get_bearer_token(request)
+    secret = environ.get("QUERY_SECRET_KEY", "")
+    return token == secret
+
+
 class FeatureViewSet(viewsets.ModelViewSet):
     """
     A viewset that provides the standard actions,

diff --git a/web/settings.py b/web/settings.py
@@ -94,7 +94,18 @@
         "PASSWORD": os.environ["DB_PASS"],
         "HOST": os.environ["DB_SERVICE"],
         "PORT": os.environ["DB_PORT"],
-    }
+    },
+    "readonly": {
+        "ENGINE": "django.db.backends.postgresql_psycopg2",
+        "NAME": os.environ["DB_NAME"],
+        "USER": os.environ["DB_RO_USER"],
+        "PASSWORD": os.environ["DB_RO_PASS"],
+        "HOST": os.environ["DB_SERVICE"],
+        "PORT": os.environ["DB_PORT"],
+        "OPTIONS": {
+            "options": "-c default_transaction_read_only=on",
+        },
+    },
 }
 
 # Internationalization