use swagger for api security #29
Conversation
|
Code below line 62 in server.js is not needed anymore too. |
|
@justinggrant Thanks for the help! @offerakrabi - is /nlu removed in the release that removes support for NLU eval by core? |
|
@erezbi |
|
@erezbi - understood. that would be a fairly easy change to make and just store keys in JSON or a comma separated list. Is there a preferred format? |
|
@justinggrant I would go with the simplest. it just needs to be a list of keys, that's all. We would eventually like to support adding a key to the list, but this has an even more complicated authentication story. Such an endpoint will have to be only accessible to the skill maintainer/admin, and not to any customer that is using the skill and has a key to the other endpoints. |
|
@erezbi - I made a small change to support either a single key or a comma separated list of keys. Both are kept in the environmental variable API_KEY. |
|
@justinggrant thanks! |
|
@erezbi - any progress on this update? thanks. |
|
@justinggrant sorry, nothing yet, we need to do quite some work to get this into master. This is waiting currently for higher priority issues. |
I recommend a few changes to the way API key is handled by WPA. Swagger has built in capability to handle API keys, so I updated the swagger to use that and protect a few specific routes. I recommend that the NLU route be protected as it contains credentials for the skills WCS space that could be used for bad intent.
I also recommend that the API_KEY be stored in a environmental variable as opposed to a text file within the res folder. This will allow the skill developer to set the key how they wish. For example, they could add it to a .env file or store it in their CF or use a secret within Kubernetes.