Closed csmith closed 3 years ago
ShaneMcC
commented
3 years ago Part of me likes this idea, but also another part of me thinks it's a bit weird.
The httpreq stuff only exists because I'm too lazy to write acme.sh or lego plugins properly and wanted to quickly be able to use something else that relied on them.
If I had written proper plugins, then the ability to limit httpreq specifically would be a weird outlier.
csmith
commented
3 years ago I'd be happy with API keys limited to certain record types (and preferably patterns).
It does seem generally useful that, say, a ddns updater can be limited to only changing A/AAAA records not your MX; the acme client can be limited to _acme-challenge.* TXT records, etc.
ShaneMcC
commented
3 years ago Done. Set a recordregex on a key to limit it. (This also stops it doing a few other things)
Record regex is matched as /^<regex>$/i against <rrtype> <record fqdn> so you probably want TXT _acme-challenge\..*
In future I might expand on this to allow multiple patterns or other more complex things, but this will do for now.
It would be nice to be able to have an API key that is limited to only the external/httpreq endpoint, effectively limiting it to adding and removing ACME validation TXT records.
That way if the API key is leaked in any way, the damage is minimised.
I'm not sure if this generalises to other endpoints or if httpreq is a special case that needs its own special treatment...