Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a different secret for the Scalelite management APIs #1043

Open
simoncolincap opened this issue Jan 22, 2024 · 0 comments
Open

Use a different secret for the Scalelite management APIs #1043

simoncolincap opened this issue Jan 22, 2024 · 0 comments
Labels
feature request

Comments

@simoncolincap
Copy link

Problem to solve:
At the moment all Scalelite APIs use the same secret, this means that if you share your secret with someone who wants to connect an application to Scalelite, they also get access to the management APIs. If an attacker gains access to that secret they can do a lot more damage than before, for example by replacing the BBB servers with compromised ones.

Purposed solution:
I think it would be nice to be able to have a different secret for the management APIs.

Considered alternatives:
As a workaround I was able to use a tenant, since the tenant gets extracted from the API request URL you can create a token with the same name as the first part of your Scalelite domain (for example tenant bbb for Scalelite host bbb.example.com) and it will work without requiring subdomains. However this feels a little unstable since this isn't the expected way to use tenants.

Additional context:
The proper way to do this is probably to use tenants but we want to update to 1.5 without changing our Scalelite/BBB endpoint.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simoncolincap