feat: API key authorization policy #765
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hburn7
added
type:feature
config-change
|
There seem to be a lot of line-length formatting changes - was anything changed in terms of expected code formatting? |
|
Good eye - this would be my laptop rider settings getting in the way most likely. |
Needed to disable this checkbox. Finally resolved. |
hburn7
force-pushed
the
feature/x-api-key
branch
from
d3b3d90 to
40ab673
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This feature adds a new authorization policy which checks against the
X-Api-Keyheader. This header & auth policy replace all instances of[AllowAnonymous](with the exception of login/logout). This adds a protective layer against anonymous scraping.So long as the correct header and secret is supplied, the request will succeed. otr-web is supplied this secret, but random users will not have access to this. Now, "anonymous" resources are accessible through platforms which we give the access to, rather than being completely open to the entire internet.