Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aiohttp_security - securing access to AcaPy assets - SSL/HTTPS #86

Open
frogman opened this issue Apr 5, 2021 · 3 comments
Open

Aiohttp_security - securing access to AcaPy assets - SSL/HTTPS #86

frogman opened this issue Apr 5, 2021 · 3 comments
Labels
Type: Question ❔ Question about implementation or some technical aspect

Comments

@frogman
Copy link

frogman commented Apr 5, 2021

Question

I was worried about the security in the AcaPy aiohttp instances and asyncio calls with the API endpoints.

Further Information

Maybe I missed it , but following the aiohttp.clientsession calls from the AcaPy endpoints I could not find any builtin security.
https://aiohttp-security.readthedocs.io/en/latest/usage.html
We could check out the python native aiohttp-security library which uses security policies.
There are also alternatives which we can also reach, is using SSL when serving Swagger calls.

Additional Context

We could also consider installing a SSL certificate in the swagger Certificate Manager (not sure if AcaPy allows this admin part of the API to be administered or changed).
Or we can use HA load balancers to capture HTTPS traffic and balance it further to AcaPy swagger endpoints.
In both approaches we need access to the Swagger Admin Center -- usually at http://<DOMAIN_or_IP>/ui

Cheers.

Z
@frogman frogman added the Type: Question ❔ Question about implementation or some technical aspect label Apr 5, 2021
@wip-abramson
Copy link
Member

Is this not the API_KEY that can be optionally set? Or is this something extra we need to look into.

@frogman
Copy link
Author

frogman commented Apr 6, 2021

Hi @wip-abramson @lohanspies @morrieinmaas
What I was thinking, the default API AcaPy traffic (when started out-of-the box) uses clear text over HTTP OpenAPI REST. From the security point of view , if we expose anywhere the REST API outside of the core system , the communication should not go over unencrypted http channel. Even if we use X-API-Key like @wip-abramson said, it is true that without the key we cannot trigger no REST actions, but any kind of inspection browser can then easily read the clear-text http headers and catch the API key. I would see (will also check in my local install or with AcaPy guys) if we can also make additional configs to insert vie Swagger certificate manager (SSL with PEM file) or we can do it the harder way and install a load balancers to proxy all the requests and talk only https before.

@lohanspies
Copy link
Member

@frogman we just need to ensure the REST API is exposed over HTTPS by installing a cert as you mentioned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Question ❔ Question about implementation or some technical aspect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frogman @wip-abramson @lohanspies