We'd really like to have the ability to have some form of authentication on the /report endpoint. Ideally this would verify that users are part of our organization before we accept data from them.
One way we could achieve this is by using something like an HMAC, and distributing the key as part of the payload that's pushed to Chrome by the administrator. That's a quick fix solution, and we'd be happy to help submit a PR for it. Unfortunately, it would also only offer some protection. A single passphrase, etc. etc.
Another way we could achieve this is by using Google Sign-In or the OAuth package to handle OAuth requests from the chrome extension. The chrome extension, in turn, could use the identity API to retrieve an auth token to make requests with. This is a much more secure approach, but also offers many more ways to break. We'd also be happy to help with a PR to accomplish this.
Is there any interest in pursuing either of these strategies, or some third option?
We'd really like to have the ability to have some form of authentication on the /report endpoint. Ideally this would verify that users are part of our organization before we accept data from them.
One way we could achieve this is by using something like an HMAC, and distributing the key as part of the payload that's pushed to Chrome by the administrator. That's a quick fix solution, and we'd be happy to help submit a PR for it. Unfortunately, it would also only offer some protection. A single passphrase, etc. etc.
Another way we could achieve this is by using Google Sign-In or the OAuth package to handle OAuth requests from the chrome extension. The chrome extension, in turn, could use the identity API to retrieve an auth token to make requests with. This is a much more secure approach, but also offers many more ways to break. We'd also be happy to help with a PR to accomplish this.
Is there any interest in pursuing either of these strategies, or some third option?