2.9 KiB
Secure Unleash
The Unleash API is split in two different paths: /api/client
and /api/admin
.
This makes it easy to have different authentication strategy for the admin interface and the client-api used by the applications integrating with Unleash.
General settings
Unleash uses an encrypted cookie to maintain a user session. This allows users to be logged in across instances of Unleash. To protect this cookie you should specify the secret
option when starting unleash.-
Securing the Admin API
In order to secure the Admin API you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook. You should also set the secret option to a protected secret in your system.
const unleash = require('unleash-server');
const myCustomAdminAuth = require('./auth-hook');
unleash.start({
databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash',
secret: 'super-duper-secret',
adminAuthentication: 'custom',
preRouterHook: myCustomAdminAuth
}).then(unleash => {
console.log(`Unleash started on http://localhost:${unleash.app.get('port')}`);
});
Examples on custom authentication hooks:
Securing the Client API
A common way to support client access is to use pre shared secrets. This can be solved by having clients send a shared key in a http header with every client requests to the Unleash API. All official Unleash clients should support this.
In the Java client this looks like:
UnleashConfig unleashConfig = UnleashConfig.builder()
.appName("my-app")
.instanceId("my-instance-1")
.unleashAPI(unleashAPI)
.customHttpHeader("Authorization", "12312Random")
.build();
On the unleash server side you need to implement a preRouter hook which verifies that all calls to /api/client
includes this pre shared key in the defined header. This could look something like this:
const unleash = require('unleash-server');
const sharedSecret = '12312Random';
unleash.start({
databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash',
enableLegacyRoutes: false,
preRouterHook: (app) => {
app.use('/api/client', (req, res, next) => {
if(req.headers.authorization !== sharedSecret) {
res.sendStatus(401);
} else {
next()
}
});
}
}).then(unleash => {
console.log(`Unleash started on http://localhost:${unleash.app.get('port')}`);
});
PS! Remember to disable legacy route with by setting the enableLegacyRoutes
option to false. This will require all your clients to be on v3.x.