Closed gobengo closed 2 years ago
POST /events shouldn't let just anyone submit an event. It should check for proof of authorization.
For v0 just allow configuring one or more shared secrets that can be used as http basic authorization.
Followup work can add support for zcaps.
AC
use basic auth instead
base64(user:pass)
Added. This is configured by the CLIENTS environment variable documented here
CLIENTS
The current value for prod is in team secret manager 'metrics-collector production CLIENTS'
POST /events shouldn't let just anyone submit an event. It should check for proof of authorization.
For v0 just allow configuring one or more shared secrets that can be used as http basic authorization.
Followup work can add support for zcaps.
AC