jkphl
commented
5 years ago @gmhba-digital That's a very good point indeed, and personally I do not have a satisfactory answer.
- At the moment, Tenon requires you to send the API key along with every request, so anyone monitoring the request could possibly view these credentials.
- Tenon offers two ways to test a document: either you provide a (public) URL or you send the complete HTML fragment including all sorts of resources (CSS, JavaScript, images, etc.) inlined into the document so that no external request is necessary. I talked to @karlgroves about this and he seems to recommend the inline way but frankly I don't consider this realistic. From within Fractal I don't see a way to on-the-fly-inline all the (highly dynamic) and send them over to Tenon.
- As soon as Tenon is able to publicly access your Fractal instance, anyone else can do as well — which leads you back to 1. and the disclosure of your API key (which probably even breaks Tenon's terms of use, Karl?).
I see 2 possible "solutions":
- The unsecure one: Have your Fractal instance public but don't tell anyone and hope for the best.
- The more secure one, but needs to be implemented: Tenon should support some sort of authentication (HTTP Basic, OAuth, ...) when sending requests to external URLs. This way, you could e.g. password protect your Fractal instance without locking out Tenone. The credentials would have to be saved with your Tenon account, potentially on a per-domain basis (similar to environment variables in CI tools).
Any thoughts?
Hi, I was just wondering if you could clarify this in the documentation.
You say:
Public URL "Public URL: Your Fractal instance needs to be publicly available for Tenon to fetch and test your components."
but also say:
"due to the nature of the Tenon API, you should never make your Tenon connected Fractal instance available to the public. "
If we can't make it public without exposing that API key, then how can we use it?