Secure notebook, import, and fileattachment access
asg017 opened this issue · comments
Right now, anything can request from localhost:8080
and get data back, like source code, file attachments, etc.
We should tighten that up, so only the developer can access info.
dataflow run
should open a webpage like http://localhost:8080?auth_token=65c87a64c6e5
, where that auth token will authorize that user to view notebooks/get file attachments and all.
- Don't connect to websocket unless valid auth token.
-
/api/import
should also have some form of auth -
/api/file-attachments
should also have some auth - What about multiple clients? Not sure how jupyter handles this...
- Toggle-able, let people expose a dev server if they really want to