powellnorma
commented
3 days ago Perhaps it would be enough, to simply add an HTTP-Header that contains the password for each API request. One optimization would be to hash that password twice - once client-side, once server-side. That way, the plain password is not included in the http headers.
In case the password is wrong, the backend could wait ~1s before giving a 403 response
So that not any app (or even extension) can access all of AW's data. Web-UI would also need to authenticate with a password (login could be saved via cookie, though). The Client-Libraries (python + JS) would have to get updated