Remove the useless 'secret key', since it doesn't add any more security than the path.

This commit is contained in:
Anna Rose Wiggins 2020-05-13 22:11:07 +00:00
parent c1594e73f4
commit 0b8134bbcf
3 changed files with 11 additions and 28 deletions

View file

@ -14,8 +14,7 @@ The server can be configured via the following environment variables:
The webhooks configuration file should be an array of entries with the following keys:
* name - A human-readable name that explains the webhook's purpose.
* path - The webhook will be served by the app at this path.
* secret_key - An authentication value for reading and writing to the webhook. This must be included in all requests. (see Usage for format)
* path - The webhook will be served by the app at this path. **Treat this as a secret value.**
* num_switches - the number of data points / indexes expected with each POST.
* momentary_switches - an array of any indexes that refer to 'momentary' switches.
The value of these indexes will be reset to 0 after the next GET request to the webhook.
@ -37,7 +36,7 @@ And run with:
A dockerfile is also included, along with a sample docker-compose.yml demonstrating
how the server might be run in a containerized environment.
Note that you SHOULD always run this service behind a TLS-encrypted proxy. Using plain http WILL expose your secret keys.
Note that you SHOULD always run this service behind a TLS-encrypted proxy. Using plain http WILL expose your secrets.
## Usage
@ -45,7 +44,7 @@ Note that you SHOULD always run this service behind a TLS-encrypted proxy. Using
To read the current webhook data, simply send a GET to the webhook URL, with the `key` parameter appropriately set. Example:
```
curl -x GET "https://example.com/WEBHOOK_PATH?key=WEBHOOK_KEY
curl -x GET "https://example.com/WEBHOOK_PATH
```
To write data, send a POST to the same URL, with a json-formatted body in the following format:
@ -53,3 +52,8 @@ To write data, send a POST to the same URL, with a json-formatted body in the fo
```
[value0, value1, value2, ...]
```
## Future Development
* Use a more robust secret than "the URL is hidden behind TLS." Maybe client-side x509 certs.