About endpoint security

[vasfvitor]

First of all I'm new to node.js, modules and JS. I was looking for simple way to redirect users to WhatsApp groups like a script or something and found yours.

I forked your repo and sucessfully published on my own Deta account. Also, I setup a CloudFlare Worker to redirect a subdomain to the 'get group' route (to avoid exposure of the original API URL) but I'm still working on it because the API URL still shows up on Chrome Dev Tools... Anyways, my question is if you had something in mind about how to implement it (is it just a proof of concept?), or is it already (more or less) production ready? I mean, it seems to me that anybody can take the API and remove/add links and users right?

Do you use it?

Thanks

Valeu direto de Recife

[danilovilhena]

Hey!

Good point, I actually didn't consider the security aspect. Thinking about it know, someone can find the documentation and exploit the other routes. But for my case, it was somewhat production-ready, I created the key, added the groups in that key, then just added the GET route in the href of a link and users were redirected to a group.

It's definitely a great upgrade to include some authentication when handling the keys and group links.

[vasfvitor]

I'm only concerned about security because I was thinking of sharing this API or a improved version with like 1-click to deploy and maybe a UI (Deta already have one but it isn't foolproof) so others could use, but may be a long reach. I did a quick research and Deta already have a setting to set auth through API KEY, but I think that to work it would need a way to not expose the api key in page source... Also I was reading about how Passport and Express can work to make only certain endpoints restricted, that could work I guess. I'm going to play with that stuff to see if something comes out. Thanks