Closed filippofinke closed 3 months ago
simoncrypta
commented
2 years ago @filippofinke It can be interesting to have an API key Auth for Redwood, especially for project that only use the API side. However, it is important to note that API key are not consider secure and are for project, not user. So I don't think we can really use dbAuth to that. A new auth provider for API only can be an intriguing idea to develop. What is your use case for a custom API Key Authentication ?
filippofinke
commented
2 years ago I am currently writing an internal tool for my company.
The users go to the application written in redwoodjs with a custom browser that shares hostname and mac-address of the machine they are using, different machines have different roles.
The application uses the hostname as username and the mac-address as API Key.
simoncrypta
commented
2 years ago Interesting, is a very unique way of doing auth for a web app. I know that we should have a custom auth setup that can be a good starting point for doing this, but… it not there yet. https://github.com/redwoodjs/redwood/issues/1585 Maybe your use case can be taken in consideration for the custom auth setup.
Also, someone wrote how he had made a custom JWT auth with Redwood in this forum thread : https://community.redwoodjs.com/t/custom-github-jwt-auth-with-redwood-auth/610/24
dthyresson
commented
3 months ago See https://www.unkey.com. We'll have middleware to support api key verification.
It would be nice to have a custom authentication that allows you to manage the authentication using API Keys.
For example, add a configuration to the dbAuth class that allows the reset and forgot password methods to be disabled. In addition to that also an option that disable the hash function on the password.