I can't penetrate the application's security

[jcrossley3]

I run cargo run --bin trustd

I get a blank screen at http://localhost:8080

I get 401 errors executing anything via http://localhost:8080/openapi/

I get 401 errors using curl or httpie.

[ctron]

I don't know why you get a blank screen at http://localhost:8080/, that works for me.

For the API, you'll need to provide an OIDC access token. OpenAPI has a login button which works for me.

On the command line I use:

# once
oidc create confidential --issuer http://localhost:8090/realms/trustify --client-id walker --client-secret R8A6KFeyxJsMDBhjfHbpZTIF0GWt43HP trusty

# with every request
http POST localhost:8080/api/v1/importer/cve/force Authorization:$(oidc token trusty -bf)

[carlosthe19916]

The so called "PM mode" where we execute cargo run --bin trustd is actually Dev Mode (meant for developers), this command is executed on a daily basis (I do, at least). Personally, when I want to play with the REST API, I always execute export AUTH_DISABLED=true and then cargo run --bin trustd

[ctron]

So, maybe we should have "pm mode" and "dev mode". I think that makes sense. And I would argue we had that with the (now removed) pm feature gate.