Potential security issue > User can connect to the same database with different API keys #62
Description
Issue
Totally different API key allows access to an existing account on the same database
Steps to reproduce
- Create a database
- Create an API key "keyone"
- Create an account with ai-featureBase.com using DB ID and keyone secret key
- Create a template and node
Second key
- Create an API key "keytwo"
- Create an account with ai-featurebase.com using DB ID and keytwo secret key
Result: Account two has access to template and Node from keyone
The bigger issue
API private keys are not usually used for anything but the first connection setup. From there, other means are usually used.
Using them for a login is sub-optimal.
Solution
Unless there are compelling reasons to allow a user to generate an API key and access all the templates, nodes and pipelines for a database, then this should be disabled in favour of one of the following:
- use the public key for subsequent logins
- force the user to create an account password