Enhance security by protecting the shutdown

Question

Enhance security by protecting the shutdown

Closed this issue a year ago · 7 comments

To my knowledge, the /endpoint/shutdown is hardcoded. How can this be changed, so a shutdown can be set to any URL AND needs a password or token? Currently, if someone knows I am running this module, s/he can call this fixed URL and shut down the REST server...

Answer 1 · 2023-05-28T21:25:13.000Z

Well, we could update this to be 'behind' whatever authenticate you are providing. Do you think that would be a POST or a PUT?

Answer 2 · 2023-06-01T14:34:07.000Z

The easiest way I can imagine: Remove the hardcoded shutdown URL and let the user shutdown the server from any endpoint by using a global variable or function.
So the default setting just needs to include a simple endpoint description and if somebody like me doesn't like this, one can write it's own endpoint including any form of authentication and if needed running subscripts to shutdown other things first.

How about this?

Answer 3 · 2023-06-01T16:57:34.000Z

Sounds reasonable. Want to do a PR? Or want me to make the changes?

Answer 4 · 2023-06-01T17:29:10.000Z

If you want me to do it, I should have this in a day or two.

Answer 5 · 2023-06-01T17:40:07.000Z

Yeah, go ahead and give it a shot!

Answer 6 · 2023-06-02T21:10:50.000Z

It was only a very small change. So it is done. See my pull request.

Answer 7 · 2023-06-03T00:09:37.000Z

New version deployed!
https://www.powershellgallery.com/packages/RestPS/7.0.56