API is not secure

Question

API is not secure

Closed this issue 4 years ago · 2 comments

Since the API is open, it makes the package obsolete for production.
A simple basic auth using Flask-HTTPAuth would solve the problem and allows us to integrate with Lambda Functions

Answer 1 · 2020-03-03T21:14:51.000Z

Hello,

You are absolutely right. We are aware of this situation and this point is on our roadmap.

Answer 2 · 2020-03-08T17:07:17.000Z

It's also important to note that it's possible to use Director behind a reverse proxy adding the authentication layer (it's what we're doing in OVH), so no it's not totally obsolete for production 😉

However you're totally right, it's not really user-friendly to use a reverse proxy so we need to provide another way to authenticate users. Basic and digest auth can be a first step, but we would like to add other mechanisms like LDAP or OAuth.

We'll come back to you soon with a solution 😃