minhqdao
commented
1 year ago Cargo does it the same way. The token cannot be guessed and should obviously not be shared by the user. It also has a limited lifetime. There I'd say that it does the job for now.
We can add a proper login in the future.
In the registry server, we are following a token based Authentication, in which if the token is valid and belongs to a particular user in the database, we allow the user to access the API atleast.
But, it has it's downsides as well. For example, if a person has the valid token, they can send in request from any client and if the data is correct then API will perform it's task accordingly.
We can discuss the better approaches to perform authentication in this issue.
cc: @henilp105 @minhqdao @perazz