Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure/Authenticated API access #2389

Open
Stebalien opened this issue Feb 22, 2016 · 7 comments
Open

Secure/Authenticated API access #2389

Stebalien opened this issue Feb 22, 2016 · 7 comments
Labels
topic/security Topic security
Projects
ipfs/go-ipfs

Comments

@Stebalien
Copy link
Member

Stebalien commented Feb 22, 2016

Currently,

  1. Anyone on a machine running IPFS can access the IPFS API over the HTTP interface. This means any user can, e.g., read any running daemon's private keys.
  2. Anyone on a machine can run an IPFS server on the standard IPFS port and the IPFS client will blindly use it. This means that a malicious user could impersonate the IPFS server.

Solutions:

  1. Use unix domain sockets. The daemon could expose the API over one or more unix domain sockets. If multiple sockets are used, administrators could control access to various APIs using standard unix permissions (this doesn't require multiple sockets but that might make implementation easier).
  2. Use HTTP authentication and store some API key in the IPFS directory. With this method, care must be taken to authenticate both ways.
@RichardLitt RichardLitt added the topic/security Topic security label Feb 23, 2016
@ghost
Copy link

ghost commented Oct 13, 2016
edited by ghost

We, at INFURA, really need to work on some kind of implementation for authentication of the API. This element, indeed, has a priority a little higher than developing ipfs-cluster 😬.

I know @jbenet you told me that IPFS daemon is not meant that way. But the need is there, to provide a daemon to people to upload and pin files. I had a quick conversation at DevCon2 with @whyrusleeping, and was suggested to build a specification, to discuss and implement.

So my question: Where do we move this conversation, so I can start a specification and implement it? In this repository? In ipfs/specs?

Thank you y gracias por la paciencia, los últimos meses han sido una locura!

HJ.-

@Kubuxu
Copy link
Member

Kubuxu commented Oct 13, 2016

There is also #1532

@ghost
Copy link

ghost commented Oct 13, 2016

@Kubuxu Cool. @jbenet told me there was a more mature issue. So, that was it 😄

Thanks!

@sebs
Copy link

sebs commented Oct 14, 2016

I like this a lot.

@buzz buzz mentioned this issue Nov 28, 2016
Closed
@momack2 momack2 added this to Inbox in ipfs/go-ipfs May 9, 2019
@NotBad4U
Copy link

NotBad4U commented Dec 6, 2019
edited

Any update on this ? For now, we just put the IPFS API behind a wireguard but that can be very profitable to have a way to add auth in the IPFS API for ACL.

@Stebalien
Copy link
Member Author

Stebalien commented Dec 7, 2019

@scanlime
Copy link

scanlime commented Sep 3, 2020

If I understand correctly, the current setup means anyone on localhost is privileged to interact with the API?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic/security Topic security
Projects
No open projects
ipfs/go-ipfs
Inbox
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sebs @Stebalien @RichardLitt @scanlime @Kubuxu @NotBad4U