webcam_demo.html expose the apiKey to internet user

[rainbow119119]

either the webcam_demo.html or JavaScript SDK webcam demo http://xxx.xxx.xxx:3000
all expose apiKey to internet user ,so they can add or delete any subjects in the database with no limit. how to avoid this?

[pospielov]

The only way to control usage now is to write your own middleware.
This is a base scenario we expect - CompreFace should always be closed from the Internet.
So two cases are:

1. CompreFace is installed in a private network, nobody can direct access to it
2. End user makes facial recognition requests, but there is a middleware system that controls security and roles.

The reason why we decided to move this way - there is no way we can implement all possible roles, permissions, and authorization options. And those will make CompreFace overcomplicated.
Furthermore, such functionality is usually implemented in "Enterprise" versions of open-source systems.