API Security
under review
Gareth
The API is useful, but powerful.
As it can modify calls (e.g. turning off recording) it would be good to add some security, e.g. some of:
* a token parameter?
* allow/blocklists lists of IPs allowed to access it?
* more granular control of what interfaces/IP were bound to (rather than all/localhost)
T
Ted Mielczarek
A straightforward way to implement this would be for MuteDeck to generate a random value on startup and write it to a fixed location (e.g.
~/Library/Application Support/MuteDeck/MuteDeck/api-token
) and then require that all API requests include that token. This is functionally similar to a CSRF token.M
Martijn Smit
under review