Open MikeTheCanuck opened 6 years ago
Nathan Miller responds,
That's a good question. I think it makes sense to use djangos builtin authentication mechanisms. I will look into how they work and if they can be shared between apps.
My questions are:
Human Problem of API Keys
Let's also be clear if someone is providing their personal information to us for login access we will need to properly encrypt and hold the data, Django's auth is pretty secure but we must then have an update schedule for security releases and the like.
Specific reason is to disallow people we don't know from using it and to be able to throttle usage from people we authorize.
One way to do this would be to enable Django's builtin token authentication and enable the token authentication view. We then create one user/password combo in each backend, call it 'apiuser'/'apipass' and give that out to anyone who wants to use the API endpoints, including the frontend devs. Once someone asks us to use the endpoint, or the front end devs want to write client code against it, we give these credentials to them, and they use the view to input the credentials and receive the token back, then they can make calls to the endpoints providing the auth token.
This essentially only prevents people we don't know from using the endpoints, but also allows us to use the builtin throttling.
This has the benefit of not having to create or allow creation of accounts, and also to not have to keep user's secrets in our system.
It does not provide a high level of security, but does prevent the random bad actor from abusing our services. (Also it sounds like we don't have the resources or desire to create or maintain a higher level of security so this may be a practical compromise)
Another alternative, for a more traditional API key approach, would be this: https://github.com/manosim/django-rest-framework-api-key
I see no reason why we couldn't have one key authenticate across multiple backends using this approach.
On Mon, Jun 25, 2018, 4:05 PM Nathan Miller notifications@github.com wrote:
Specific reason is to disallow people we don't know from using it and to be able to throttle usage from people we authorize.
One way to do this would be to enable Django's builtin token authentication and enable the token authentication view. We then create one user/password combo in each backend, call it 'apiuser'/'apipass' and give that out to anyone who wants to use the API endpoints, including the frontend devs.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/hackoregon/civic-devops/issues/198#issuecomment-400123183, or mute the thread https://github.com/notifications/unsubscribe-auth/ABvqFA4RZJkakzjRwQWe_7CcdwPIL1jjks5uAWyrgaJpZM4U29Vy .
Ed Borasky asks,