Security topic : Api Key and Signed urls #20
Description
Hello @qqmyers and everybody, I was wondering about the security regarding the use of Api Key &key=xxx as query string of the url.
Understand that I just want to open the dialogue on this topic.
Api Key is required to use Direct DataFile Upload/Replace APIs but the security risk seems important to me; Non IT user may share this url or may keep browser history on a shared computer and give their level of access on Dataverse.
Security is important and this issue has been addressed for Dataverse External Tools with the option Signed URLs. I don't know if it's possible to use it right now but it might be an idea to work on this (maybe extend Dataverse Signed Url scope to more than only External Tools if it's not).
Here is a non-exhaustive list of benefits to consider :
- No security issues regarding accidental share of Api Key
- Limited authorised scope of api endpoints and time of use (a full day is safe enough)
- No issue regarding Api Key creation and expiration ("Your key is expired, you must renew it before use DVWL...")
What do you think ?
Best regards