Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Feature Suggestion: Advanced Setting to force a user for API Keys
-
Not having a user for an API Key gives a lot of access. While I am the admin of my ProGet instance, there are others that have admin access and don't realize the hole they are opening up with an API Key that is not restrained by any user permissions (because they don't enter a user for the key).
I would like to suggest an Advanced Setting that, when toggled on, would force any new API Keys to select a valid user for the API Key to run as.
-
Hi @Stephen-Schaff ,
We already have "Personal API Keys" coming, so I think this will address those concerns.
The User Impersonation is really only used by the "Feed API" Endpoints anyways, and the only "problematic" endpoints might be "Feed Management API" (they could delete feeds) or "Native API" (they could do anything).
Otherwise, I think this would best be handled by training and documentation. Perhaps just a warning to put on the Create API Key page?
We've learned the hard way that advanced settings like this are really hard to support -- everyone forgets they exist (including support team).
steve
