-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add authentication to routes #11
Comments
Hey! We actually thought about this but decided to go without authentication because the hooks don’t disclose any information and it should be totally safe to call them externally. The only thing I can think of is that someone might try to DOS your server by executing the hook multiple times. Perhaps the easiest solution is to deny access from all IPs except localhost (or the server which runs the cron) via |
It doesn't disclose information but it runs code that shouldn't be run by anonymous visitors. My example is that pushing the content automatically triggers a deployment, so I need to control when pushes happen. That's why I decided to use version 1.0.0 of the plugin for now. |
Ah, ok. That’s a really good reason. Do you think it’s enough to implement an IP check? For example a configuration option like This should be really easy to implement. |
For me it would be enough to completely disable the route actually. Maybe an option like |
OK! I’ve just created another issue (#12) for this. I think an IP check is a good option to so I leave this issue open, too. Thanks for your input! :) |
Hey there, |
Hi, yes you can set the I don’t know why I kept this issue open 🧐🤣 maybe i thought about implementing Basis-Auth or something like this. Will close it for now. |
The routes can currently be accessed without any authentication. I think you should make sure that a user is logged in and/or use HTTP basic auth for this.
The text was updated successfully, but these errors were encountered: