Open nicomiguelino opened 1 year ago
Hi!
During the migration, could you please secure with basic auth the /api/docs/
Swagger endpoint and probably the /api/swagger.json
as well?
Currently you can set up a basic auth for the dashboard, but the $hostname/api/docs/
path is not secured. Therefore anybody can simply make changes in the assets or even shutdown the system by calling the endpoint /api/v1/shutdown_screenly
.
As a workaround I navigated into the anthias-nginx docker container with docker exec -it {ID} bash
Then edited this config:
/etc/nginx/sites-enabled/anthias.conf
And added these two blocks right after the root /
location.
location ~* ^\/api\/docs.*$ {
proxy_pass http://anthias;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
proxy_read_timeout 1800;
send_timeout 1800;
auth_basic "Administrator’s Area";
auth_basic_user_file /etc/apache2/.htpasswd;
}
location ~* ^\/api\/swagger\.json.*$ {
proxy_pass http://anthias;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
proxy_read_timeout 1800;
send_timeout 1800;
auth_basic "Administrator’s Area";
auth_basic_user_file /etc/apache2/.htpasswd;
}
These two blocks could be merged with proper regex, but I didn't want to play with them...
After this, executed the command sudo service nginx reload
, then left the docker container by typing exit
.
@mpal-intrinsiq, @palmarcell The pull request is still in progress. I already added authorization to the API doc endpoints.
Changes in NGINX file will probably be done on a separate PR.
Overview
drf-spectacular
.Relevant issues
Depends on