URL whitelist

[plombardi89]

It is sometimes the case that you only want to protect a subset of paths and domains coming into the API gateway, for example, because you want to serve a public API or static assets.

In Datawire's custom authentication module we have a whitelist mechanism implemented with regular expressions. Regular expressions are very powerful but can also be confusing to read and write and in the case of an authentication module, confusing to write can often lead to security issues if an instruction isn't tested correctly.

Another option is to use something like https://pypi.python.org/pypi/urlmatch/1.0.1 which is much simpler than regular expression matching, but trades off capabilities for simplicity.

My preference is to start with the urlmatch approach using a config file. Once we get stronger requirements around complex matching needs we could easily add in a regex matching engine as an advanced mode.