ots icon indicating copy to clipboard operation
ots copied to clipboard
verified publisher icon Luzifer

Limitting access to secret creation

Open Stegadons opened this issue 5 years ago • 5 comments

Is this possible to limit access to secret creation without limiting access to reading secrets?

Let's say OTS has two main parts - "create secret" and "read secret". In my particular case I need to limit access to "create secret" (be it by IP or password - nothing fancy high security, just so random people can't create secrets) while "read secret" remains accessible to anyone.

I am even thinking of running two instances of OTS on the same server - one with "creation" parts edited out of app.vue template and other with full functionality, but with limited access. Would it even be possible?

Stegadons avatar Jun 18 '20 10:06 Stegadons

You could configure your proxy webserver to limit access to /api/create for only allowed origins…

On application level currently there is no way to not display the corresponding interface or something but that could be built in. Should be a quite simple patch. The thing is just hiding the interface does not limit the API for secret creation, for that you'd need to apply the limit on the /api/create route again…

Luzifer avatar Jun 18 '20 11:06 Luzifer

I've added a PR with an option to disable the creation frontend in #21 - it's still missing the french translation for the new texts and I need to think about the texts in general but if you want to test it you could build it from the corresponding branch and test it out…

Luzifer avatar Jun 18 '20 12:06 Luzifer

Nice, thank you! Now I only need to figure out how to make both instances share "mem" storage... or just use Redis...

Also thanks for the tip of limiting access to /api/create

Stegadons avatar Jun 18 '20 14:06 Stegadons

In-mem storage is not shareable and it's most ephemeral (restarting the process will wipe the storage). If you want to share the storage you should use Redis storage…

As an alternative you could create the secrets through API (see the shell script in this repo) and use a single process… (Though im-mem storage is really not intended for production use!)

Luzifer avatar Jun 18 '20 14:06 Luzifer

I have set up two instances of OTS sharing Redis storage. Works fine with one exception - after creating secret URL is displayed for instance with creation interface enabled (since secret were created from that instance) and link must be manually changed to access secret from instance with disabled creation interface. Instances must have different URLs (either name or port) to differentiate between them. Instances could share the same URL if mapped to different IPs and differentiated with the help of DNS but it is not always possible (as in my case).

It looks like at this point my only option is making my own front to create secrets through API...

Stegadons avatar Aug 10 '20 06:08 Stegadons