Currently, the RequestInterceptor is only applied to regular queries, and is not applied to health checks. This approach is valid if three assumptions hold:
All request-interceptors are authentication providers
The health check endpoint is unauthencticated (true by default)
The default health check route is not changed to an authenticated route
It's a pretty reasonable set of assumptions at first glance, but I think it's too restrictive. For example: people who use a reverse proxy for access control should have the option to just slap access control in front of the entire Broker API, without poking a hole for the /status/health route.
Currently, the
RequestInterceptor
is only applied to regular queries, and is not applied to health checks. This approach is valid if three assumptions hold:It's a pretty reasonable set of assumptions at first glance, but I think it's too restrictive. For example: people who use a reverse proxy for access control should have the option to just slap access control in front of the entire Broker API, without poking a hole for the
/status/health
route.