Open kohlerdominik opened 5 years ago
The original rationale for having an authentication key was to prevent accidental public / unprotected exposure of the service. But in hindsight, this was probably not the most brilliant solution as we set a default key which many will probably leave unchanged. I'd be up for removing it entirely in a newer / major version with a disclaimer that no authentication is shipped. With the increasing popularity of service mesh, and API gateways, I think a "saner" way to operate this microservice is probably by moving authentication to the edge. Either:
I think it would be great if the auth_key could be disabled. We are using Athena in a k8s-Cluster, so its not available from outside. With that in mind, it just makes the auth an extra failure cause.
I think this could be as easy as adding the environment-variable WEAVER_DISABLE_AUTH and just checking it in the middleware. Sadly, i don't have any skills in go, so i can't make my own PR. However, i hope someone else can put me out of this misery.