I’d like to write HMAC’d urls for things, instead of using keys to embed things. For instance, today we’re using iframes or csv links that include the API key, plus the ID of the query - there is nothing stopping the user changing things and looking at other stuff.
Proposal:
Add support for hmac auth
- check url for hmac_auth and user_id param
- if found, look up user by id, get their token
- generate a hmac signature of the full url and any parameters
- compare with hmac_auth parameter from user
- auth them if it matches
Advantages:
- stops the user seeing different things that user can see
- doesn’t include the api key
- industry standard (could use something specific like aws’ implementation, but something simpler would be fine imho)
Disadvantages:
- where does the user “get” the HMAC url from?
I’m happy to code this and make a PR, if it seems sane.
Russ