On Thu, Feb 27, 2020 at 10:04 PM Ming Wen <[email protected]> wrote:
> I looked at this PR and I have two questions: > 1. Should we put the auth key in the http header `Authorization`? which is > more standard > For kay-based authentication, it is standard to use `apikey` in the header. > 2. If the authentication fails, it should return 401 directly, and for > security reasons, it should not return the specific error reason > that a good catch. I have fixed. And added more test cases. > > Thanks, > Ming Wen, Apache APISIX > Twitter: _WenMing > > > YuanSheng Wang <[email protected]> 于2020年2月27日周四 下午9:31写道: > > > I submit a PR right now[1] . ^_^ > > > > [1] https://github.com/apache/incubator-apisix/pull/1169 > > > > > > > > On Thu, Feb 27, 2020 at 8:47 PM YuanSheng Wang <[email protected]> > wrote: > > > > > > > > > > > On Thu, Feb 27, 2020 at 8:28 PM Ming Wen <[email protected]> wrote: > > > > > >> I think we can add support for https at the same time. I wil do it. > > >> > > > > > > that is great ^_^ > > > > > > > > > > > >> > > >> Thanks, > > >> Ming Wen, Apache APISIX > > >> Twitter: _WenMing > > >> > > >> > > >> Zhiyuan Ju <[email protected]> 于2020年2月27日周四 下午7:30写道: > > >> > > >> > It's a good idea and can be landed on Dashboard quickly. > > >> > > > >> > Best Regards! > > >> > @ Zhiyuan Ju <https://www.shaoyaoju.org/> > > >> > > > >> > > > >> > doggieと杨 <[email protected]> 于2020年2月27日周四 下午7:02写道: > > >> > > > >> > > this is a good way. > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > ------------------ 原始邮件 ------------------ > > >> > > 发件人: "YuanSheng Wang"<[email protected]>; > > >> > > 发送时间: 2020年2月27日(星期四) 晚上6:58 > > >> > > 收件人: "[email protected]"<[email protected]>; > > >> > > > > >> > > 主题: [Discussion] Add a key-based authentication to the > > dashboard > > >> > > > > >> > > > > >> > > > > >> > > Hi: > > >> > > > > >> > > After the Apache APISIX instance is started, the current Admin API > > >> does > > >> > not > > >> > > have any authentication verification mechanism, which is very > > insecure > > >> > for > > >> > > users. > > >> > > > > >> > > I recommend adding a simple KEY token authentication to the Admin > > API. > > >> > > > > >> > > For example, specifying a whitelist of allowed tokens directly in > > >> > > `conf/config.yaml` might be an easy way. > > >> > > > > >> > > > > >> > > > > >> > > -- > > >> > > *MembPhis* > > >> > > My github: https://github.com/membphis > > >> > > Apache APISIX: https://github.com/apache/incubator-apisix > > >> > > > >> > > > > > > > > > -- > > > > > > *MembPhis* > > > My github: https://github.com/membphis > > > Apache APISIX: https://github.com/apache/incubator-apisix > > > > > > > > > -- > > > > *MembPhis* > > My github: https://github.com/membphis > > Apache APISIX: https://github.com/apache/incubator-apisix > > > -- *MembPhis* My github: https://github.com/membphis Apache APISIX: https://github.com/apache/incubator-apisix
