Battlesnake
Webhook Authorization #246
Replies: 7 comments
-
|
Today, I put the token in the URL as a query parameter. Would love to have the option to put the token in the headers of the request. |
Beta Was this translation helpful? Give feedback.
-
|
A way to authenticate is a reasonable request. I don't think a header would solve the problem any more than a query parameter. Might be good to consider something like a JWT with either a shared secret (set by the user per snake) or a public key (the private key being owned by Battlesnake engine). Each snake could then verify the JWT's claim that the request came from Battlesnake and not another party, as well as an expiration time and perhaps claims on the game ID + turn number. |
Beta Was this translation helpful? Give feedback.
-
|
I'm definitely in favor of adding this functionality - there's an additional argument for it, in that most modern webhook services offer request signing and signatures. So this adds pretty heavily to the idea of Battlesnake encouraging folks to use 'real-world' tools and techniques :) I like the idea of using a shared secret / signature, similar to how Mailgun and Stripe sign their webhooks and include a timestamp as a nonce. That way signatures are always provided, and it's up to the server (Battlesnake) to opt-in to verification (and the performance cost associated with it). |
Beta Was this translation helpful? Give feedback.
-
|
That's a really good point about encouraging learning real-world tech 👍 |
Beta Was this translation helpful? Give feedback.
-
|
I use Basic authentication which is well supported by Battlesnake engine. |
Beta Was this translation helpful? Give feedback.
-
|
@und3f Ah, that's interesting - Do you just put the username:password pair in the snake URL? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, like ***@***.***
…On Thu, 18 Jan 2024, 01:58 Justin Workman, ***@***.***> wrote:
@und3f <https://github.com/und3f> Ah, that's interesting - Do you just
put the username:password pair in the snake URL?
—
Reply to this email directly, view it on GitHub
<#246 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABJHEC7VDPTUNMT7T5KTNLYPBQTJAVCNFSM6AAAAABBBUGKWCVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DCNRTGEZTK>
.
You are receiving this because you were mentioned.Message ID:
***@***.***
.com>
|
Beta Was this translation helpful? Give feedback.
-
When registering a Battlesnake, I'd like to be able to supply an authorization token that would be used to authorize the requests. That would allow me to secure my API against malicious use.
Beta Was this translation helpful? Give feedback.
All reactions