Secure Admin API with HMAC signature
njlie opened this issue · comments
Nathan Lie commented
Context
To follow established patterns in other services and use a low-overhead solution, it has been decided to secure the Admin API with an HMAC signature, using a shared secret between it and ASEs/the Admin UI.
Signature generation can be duplicated from:
rafiki/packages/backend/src/webhook/service.ts
Lines 218 to 235 in 5c0ee4b
Todos
- Add HMAC signature verification to backend
- Add shared secrets to backend, mock-ase, and frontend
- Add signature generation to mock-ase and frontend
- Add signature generation to integration tests