Define interface between source and journalist applications

[redshiftzero]

Description

The source interface is open to any anonymous user and is a natural first point of attack. Access to the journalist interface is quite restricted: only to journalist users that possess the correct ATHS token and valid account credentials. Currently both access a shared database and are both running on the same physical machine:

The number of things we need the source interface to do involving the database is very limited:

• Log in
• Submit document/message
• Fetch replies
• Delete replies

We could define a simple interface (i.e. an API that talks to the journalist application when needed) that enables the source interface to do just these things and restructure the source interface to use this API instead of the database directly via the ORM:

This would make the source interface much simpler and would enable a more gradual path to (eventually) migrating away from Python (e.g. via rewriting just the source interface in Golang or Rust), as well as enable greater isolation by running each application inside separate containers in production (see all other issues with the containerize server label), meaning that eventually the architecture would look something like this:

[usmanmuhd]

I was interested to work on this particular issue.
I had a few questions:

1. When connecting with the api from the source interface, are we not giving away access to the journalist interface website?
2. Why can we not just run a temporary Database where the data is stored as soon as it is uploaded from the source and the contents are copied to an isolated database and deleted from the temporary database, thereby leaving no sensitive content on the temporary database except the login details?