search

Screenly / Anthias

The world's most popular open source digital signage project.
https://anthias.screenly.io
Other
2.34k stars 596 forks source link

Overhaul the REST API and its documentation. #1812

Open nicomiguelino opened 1 year ago

nicomiguelino commented 1 year ago

Overview

Relevant issues

Depends on

mpal-intrinsiq commented 5 months ago

Hi! During the migration, could you please secure with basic auth the /api/docs/ Swagger endpoint and probably the /api/swagger.json as well? Currently you can set up a basic auth for the dashboard, but the $hostname/api/docs/ path is not secured. Therefore anybody can simply make changes in the assets or even shutdown the system by calling the endpoint ​/api​/v1​/shutdown_screenly.

mpal-intrinsiq commented 5 months ago

As a workaround I navigated into the anthias-nginx docker container with docker exec -it {ID} bash

Then edited this config: /etc/nginx/sites-enabled/anthias.conf

And added these two blocks right after the root / location.

    location ~* ^\/api\/docs.*$ {
        proxy_pass http://anthias;
        proxy_connect_timeout 1800;
        proxy_send_timeout 1800;
        proxy_read_timeout 1800;
        send_timeout 1800;

        auth_basic "Administrator’s Area";
        auth_basic_user_file /etc/apache2/.htpasswd;
    }

    location ~* ^\/api\/swagger\.json.*$ {
        proxy_pass http://anthias;
        proxy_connect_timeout 1800;
        proxy_send_timeout 1800;
        proxy_read_timeout 1800;
        send_timeout 1800;

        auth_basic "Administrator’s Area";
        auth_basic_user_file /etc/apache2/.htpasswd;
    }

These two blocks could be merged with proper regex, but I didn't want to play with them...

After this, executed the command sudo service nginx reload, then left the docker container by typing exit.

nicomiguelino commented 3 weeks ago

@mpal-intrinsiq, @palmarcell The pull request is still in progress. I already added authorization to the API doc endpoints.

Changes in NGINX file will probably be done on a separate PR.