jordan-wright
commented
5 years ago Hi @dustin-decker,
Sorry for taking so long to get back to this. I'm starting back up development for IsThisLegit and authenticating requests coming into the dashboard is something I'd like to get taken care of.
There's another issue at #32 that we'll work through to get this knocked out, so in the meantime I'll close this one in favor of working through the other issue. Thanks again for raising this issue!
Without authorization someone could easily flood the public endpoint of the dashboard with noise. I'm not sure what the best way to do this from the client side would be. Ideally some sort of signed assertion of the Chrome identity that you could verify would be optimal, but I'm not sure if that is possible. Might be worth sending the ID from this API at minimum: https://developer.chrome.com/apps/identity#method-getProfileUserInfo