On Fri, Feb 28, 2020 at 9:52 AM Ming Wen <[email protected]> wrote: > > For kay-based authentication, it is standard to use `apikey` in the > header. > > I think we should design as described[1] by swagger instead of `apikey`. > > [1] https://swagger.io/docs/specification/authentication/api-keys/
agree with you, that is much better. > > > Thanks, > Ming Wen, Apache APISIX > Twitter: _WenMing > > > YuanSheng Wang <[email protected]> 于2020年2月28日周五 上午9:02写道: > > > On Thu, Feb 27, 2020 at 10:04 PM Ming Wen <[email protected]> wrote: > > > > > I looked at this PR and I have two questions: > > > 1. Should we put the auth key in the http header `Authorization`? which > > is > > > more standard > > > > > > > For kay-based authentication, it is standard to use `apikey` in the > header. > > > > > > > 2. If the authentication fails, it should return 401 directly, and for > > > security reasons, it should not return the specific error reason > > > > > > > that a good catch. I have fixed. > > And added more test cases. > > > > > > > > > > Thanks, > > > Ming Wen, Apache APISIX > > > Twitter: _WenMing > > > > > > > > > YuanSheng Wang <[email protected]> 于2020年2月27日周四 下午9:31写道: > > > > > > > I submit a PR right now[1] . ^_^ > > > > > > > > [1] https://github.com/apache/incubator-apisix/pull/1169 > > > > > > > > > > > > > > > > On Thu, Feb 27, 2020 at 8:47 PM YuanSheng Wang <[email protected]> > > > wrote: > > > > > > > > > > > > > > > > > > > On Thu, Feb 27, 2020 at 8:28 PM Ming Wen <[email protected]> > wrote: > > > > > > > > > >> I think we can add support for https at the same time. I wil do > it. > > > > >> > > > > > > > > > > that is great ^_^ > > > > > > > > > > > > > > > > > > > >> > > > > >> Thanks, > > > > >> Ming Wen, Apache APISIX > > > > >> Twitter: _WenMing > > > > >> > > > > >> > > > > >> Zhiyuan Ju <[email protected]> 于2020年2月27日周四 下午7:30写道: > > > > >> > > > > >> > It's a good idea and can be landed on Dashboard quickly. > > > > >> > > > > > >> > Best Regards! > > > > >> > @ Zhiyuan Ju <https://www.shaoyaoju.org/> > > > > >> > > > > > >> > > > > > >> > doggieと杨 <[email protected]> 于2020年2月27日周四 下午7:02写道: > > > > >> > > > > > >> > > this is a good way. > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > ------------------ 原始邮件 ------------------ > > > > >> > > 发件人: "YuanSheng Wang"<[email protected]>; > > > > >> > > 发送时间: 2020年2月27日(星期四) 晚上6:58 > > > > >> > > 收件人: "[email protected]"<[email protected]>; > > > > >> > > > > > > >> > > 主题: [Discussion] Add a key-based authentication to the > > > > dashboard > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > Hi: > > > > >> > > > > > > >> > > After the Apache APISIX instance is started, the current Admin > > API > > > > >> does > > > > >> > not > > > > >> > > have any authentication verification mechanism, which is very > > > > insecure > > > > >> > for > > > > >> > > users. > > > > >> > > > > > > >> > > I recommend adding a simple KEY token authentication to the > > Admin > > > > API. > > > > >> > > > > > > >> > > For example, specifying a whitelist of allowed tokens directly > > in > > > > >> > > `conf/config.yaml` might be an easy way. > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > -- > > > > >> > > *MembPhis* > > > > >> > > My github: https://github.com/membphis > > > > >> > > Apache APISIX: https://github.com/apache/incubator-apisix > > > > >> > > > > > >> > > > > > > > > > > > > > > > -- > > > > > > > > > > *MembPhis* > > > > > My github: https://github.com/membphis > > > > > Apache APISIX: https://github.com/apache/incubator-apisix > > > > > > > > > > > > > > > > > -- > > > > > > > > *MembPhis* > > > > My github: https://github.com/membphis > > > > Apache APISIX: https://github.com/apache/incubator-apisix > > > > > > > > > > > > > -- > > > > *MembPhis* > > My github: https://github.com/membphis > > Apache APISIX: https://github.com/apache/incubator-apisix > > > -- *MembPhis* My github: https://github.com/membphis Apache APISIX: https://github.com/apache/incubator-apisix
