Comments (11)
Hi @hosnas, @Arvant has sent a pull request, #59, that I think addresses this issue. Appreciate if you could confirm.
from agenda-rest.
@keyvan-m-sadeghi : I have added another PR #60 with a very cosmetic change regarding the Error message in case of incorrect API key.
from agenda-rest.
@keyvan-m-sadeghi can confirm it works as intended. Great job @Arvant and @sampathBlam 👍
I just want to say its worth mentioning it in the readme doc.
from agenda-rest.
Agreed, @Arvant and @sampathBlam, any help with documenting this is very much appreciated.
from agenda-rest.
The current implementation with the API key looks neat and sufficient. A more robust way to authenticate would be to handle in-house OAuth2 based authentication with Client credentials strategy. As agenda-rest might be predominantly used in machine-to-machine communications (users wont directly hit the hosted agenda-rest service), it makes sense for the clients(may be another server or an application) that interact with agenda-rest to get a client ID and secret as part of a registration process, then get an application access token and use it for any further requests. @hosnas , @keyvan-m-sadeghi , @Arvant : Your thoughts on this?
from agenda-rest.
@keyvan-m-sadeghi : Yes I agree. Adding OAuth would mean increasing unnecessary complexity and would prove a hindrance in maintaining agenda as a microservice.
from agenda-rest.
@keyvan-m-sadeghi Thank you for accepting my suggestion. I will call the header x-agenda-signature
and it will be optionally enabled via settings and a flag. While I implement this feature can you please publish and bump the version for me. I have an internal project that depends on PR #70. Thank you so much for your prompt response.
from agenda-rest.
@sampathBlam you're absolutely right, main use case for agenda-rest
is M2M interactions. As such, I'm not clear on the reason for adding complexities like a refresh token. What's the added value? In addition, I'm very much for agenda-rest
remaining a microservice, wouldn't adding this be a practice used in monoliths?
from agenda-rest.
I think is worth considering to adopt the same strategy GitHub uses to secure web-hooks. This strategy is much more secure that passing an none encrypted key. For more documentation please take a look at this https://developer.github.com/webhooks/securing. Here is some example code that shows how to validate the request you could also implement a middle-ware using this approach:
export let validateGithubRequest = ({ secret, req }) => {
let signature = req.headers['x-hub-signature']
let hmac = createHmac('sha1', secret)
let body = Buffer.from(req.rawBody)
hmac.update(body, 'utf-8')
return signature === `sha1=${hmac.digest('hex')}`
}
.
.
.
let preserveRawBody = (req, res, bodyBuffer) => {
req.rawBody = bodyBuffer.toString('utf8')
}
.
.
.
const app = express(feathers())
app
.configure(express.rest(rest()))
.configure(socketio())
.configure(prometheus)
.use(bodyParser.json({ limit: '50mb', verify: preserveRawBody }))
.
.
.
@keyvan-m-sadeghi Let me know what you think and I can implement a PR that exemplifies what I'm proposing.
from agenda-rest.
@geosp seems like a fine solution, I suggest that we keep the x-api-key
as it still might be the preferred method for some. I'll wait for your PR, then publish to npm and bump up the version.
from agenda-rest.
@geosp done 🎉
from agenda-rest.
Related Issues (20)
- Migrate tests to Mocha
- Missing documentation on how to define jobs HOT 4
- got 404,why HOT 2
- Cannot find module './settings'
- How to repeat job at Friday at 5am for every week HOT 2
- Must run on port 8080? Failure ECONNREFUSED 127.0.0.1:8080 HOT 3
- Not maintained anymore? HOT 6
- How to introduce logging
- Agenda-rest has been slow lately HOT 1
- Provide information about the CLI arguments in the documentation HOT 3
- [Question] How good or bad it would be if we replace the command line options with a config json which the agenda-rest service can use when we launch it? HOT 2
- The job fails when specifying port number, parameters and query strings.
- Allow options as a parameter when creating jobs. HOT 3
- More maintainers for agenda-rest + npm package HOT 27
- How do I deploy this on heroku? HOT 1
- POST to /job/every consistently 'overwrites' last job instance with same name HOT 1
- Implement support for passing agenda settings via the CLI
- There is a mismatch between the npm package version and the sour code package.json.
- Implement GitHub actions.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agenda-rest.