Aiohttp_security - securing access to AcaPy assets - SSL/HTTPS

[frogman]

Question

I was worried about the security in the AcaPy aiohttp instances and asyncio calls with the API endpoints.

Further Information

Maybe I missed it , but following the aiohttp.clientsession calls from the AcaPy endpoints I could not find any builtin security.
https://aiohttp-security.readthedocs.io/en/latest/usage.html
We could check out the python native aiohttp-security library which uses security policies.
There are also alternatives which we can also reach, is using SSL when serving Swagger calls.

Additional Context

We could also consider installing a SSL certificate in the swagger Certificate Manager (not sure if AcaPy allows this admin part of the API to be administered or changed).
Or we can use HA load balancers to capture HTTPS traffic and balance it further to AcaPy swagger endpoints.
In both approaches we need access to the Swagger Admin Center -- usually at http://<DOMAIN_or_IP>/ui

Cheers.

Z

[wip-abramson]

Is this not the API_KEY that can be optionally set? Or is this something extra we need to look into.

[frogman]

Hi @wip-abramson @lohanspies @morrieinmaas
What I was thinking, the default API AcaPy traffic (when started out-of-the box) uses clear text over HTTP OpenAPI REST. From the security point of view , if we expose anywhere the REST API outside of the core system , the communication should not go over unencrypted http channel. Even if we use X-API-Key like @wip-abramson said, it is true that without the key we cannot trigger no REST actions, but any kind of inspection browser can then easily read the clear-text http headers and catch the API key. I would see (will also check in my local install or with AcaPy guys) if we can also make additional configs to insert vie Swagger certificate manager (SSL with PEM file) or we can do it the harder way and install a load balancers to proxy all the requests and talk only https before.

[lohanspies]

@frogman we just need to ensure the REST API is exposed over HTTPS by installing a cert as you mentioned.