-
Notifications
You must be signed in to change notification settings - Fork 4
Using nTunes Securely
Out of the box, the nTunes API offers A LOT of functionality regarding your iTunes library, including the ability to destroy, well, pretty much anything if somebody malicious has open access to the API running on your machine. That being said, OF COURSE you want to open up the API to the internet, so that you can listen to your library anywhere. So here's a few scenarios that might be useful in setting up nTunes and opening it to the world:
Setting up the API with read-only access is a good way of ensuring that nobody screws up any settings, but still allows retrieval of the data in a read-only fashion. This would involve rejecting any POST requests going to the API before they get there, and only allowing GET requests to pass-though. We do this with connect:
require("connect").createServer(
function(req, res, next) {
// First verify that the request is not attempting to change anything in
// the library (GET requests are non-mutating to the library)
if (req.method != "GET) {
res.writeHead(401);
res.end("HTTP Method Not Allowed: " + req.method);
} else {
next();
}
},
// If the above function calls 'next()', then the nTunes API takes control
require("nTunes")()
);
Obviously you can put in place some HTTP authentication to ensure that only authorized people have access tho the API. This can be more useful if you would still like the ability to write properties and invoke iTunes commands though POST requests. You can try using connect-auth to get an all in one solution.