Filter `key` parameters from request URIs

Conal-Tuohy / TroveProxy

A transforming proxy and harvester for the National Library of Australia's Trove API

Apache License 2.0

1 stars 0 forks source link

Filter `key` parameters from request URIs #5

Open Conal-Tuohy opened 10 months ago

Conal-Tuohy commented 10 months ago

Move API authentication keys from request URIs (i.e. the key parameter) into HTTP X-API-KEY headers:

make URIs publishable without leaking authentication credentials
allow URIs to be canonical
allow URIs to be reused with other keys without editing the URI

Conal-Tuohy commented 10 months ago

TroveProxy should accept keys from the client as any of X-API-KEY header, key URL parameter, or a cookie, and should pass the key to Trove as an X-API-KEY header (stripping any key parameter from the URL), and pass the key back to the client as a cookie.