Do not start admin API server when `admin_auth_token` is omitted - Githubissues

fdo-rs / fido-device-onboard-rs

An implementation of the FIDO Device Onboard (FDO) spec written in Rust.

BSD 3-Clause "New" or "Revised" License

56 stars 31 forks source link

Do not start admin API server when `admin_auth_token` is omitted #443

Open nak3 opened 1 year ago

nak3 commented 1 year ago

Currently to disable admin server, we need to omit admin_auth_token:

https://github.com/fedora-iot/fido-device-onboard-rs/blob/65dfeed238a82501df46ee3e4d456df947e7e7a9/serviceinfo-api-server/src/main.rs#L132-L136

It is "ok" but it is better for security to exclude the admin API (admin_v0) from the server routes when omit admin_auth_token here:

https://github.com/fedora-iot/fido-device-onboard-rs/blob/65dfeed238a82501df46ee3e4d456df947e7e7a9/serviceinfo-api-server/src/main.rs#L461-L465

warp seems has the feature https://github.com/seanmonstar/warp/issues/121

nullr0ute commented 1 year ago

Note we'll be migrating from warp shortly