how to secure operating api

[imacks]

its my first time trying this project. i must be missing something in the docs, but how to i secure app creation api? like, is there a concept of users here? set the number of apps a user can create? give a user some kind of api key to protect his app routes from unauthorized editing? do i need to rite jwt middleware for all that?

[c0ze]

Unfortunately, there is no concept of users or fine grained access control. You can secure global API by issuing JWT tokens, please check the Authentication docs for more information. For fine grain control, you can set route level JWT tokens, and distribute to your users maybe.

[imacks]

good to know. to have access control to /v1/apps (deploying and updating apps), what kind of middleware will i need to write? is there a guide somewhere?

[c0ze]

You don't need to write any middleware. You just need to pass an ENV when starting the functions server. You also need to pass the same token when you are issuing commands via the fn tool (or accessing the API in any way). Please check the documentation I provided before.

If you need to modify the implementation (write your own middleware etc), please check the following PRs, they may give you ideas. Thank you !

#662
#660

[imacks]

hmm i can't find the name of the env...help pls?

for my use case, i would really need a per-user jwt token as described before. Is this already on your roadmap? I would certainly like to help on this feature if you think it's a good idea.

[c0ze]

does this help ?

As for users, I am afraid that is not in the roadmap. If you are willing to help though, of course we would appreciate your input !

[imacks]

tks that certainly helps. I'll try to implement users then...