Limit reporting IPs
It'd be great if there was a way to tell hoptoad that it should only accept error reports for a given API key from a specific set of IP addresses. I've been working on a notifier in Java that runs some unit tests that send errors using my API key, but find it somewhat annoying when others fork the code and don't change it to use their own API key.
From a security standpoint, this seems like a simple way to help ensure the authenticity of an error given there's currently no real client validation - anyone knowing/guessing the API key can submit errors.
Comments are currently closed for this discussion. You can start a new one.
Support Staff 2 Posted by Tristan Dunn on 11 Feb, 2010 04:31 PM
Hi,
I'd suggest storing your API key outside the tests, perhaps in a file that isn't checked in, to avoid other people gaining access to it. Then simply set it at run time from the file. This would also fail without, forcing people who are forking it to get their own key.
- Tristan
Tristan Dunn resolved this discussion on 11 Feb, 2010 04:31 PM.
Socrata re-opened this discussion on 11 Feb, 2010 04:53 PM
3 Posted by Socrata on 11 Feb, 2010 04:53 PM
Yes, I could do that, although that would make the setup instructions a bit more difficult for those forking the project. It's already out in the wild now, so short of rewriting my git history and regenerating my API key, there's not much I can do about that.
Outside the test case situation, there's still the issue that Hoptoad has no way of verifying the authenticity of submitted errors beyond the API key. While the API key isn't supposed to be shared, sometimes it can be (developers joining/leaving a company, leaked API keys for some reason, etc.) and regenerating an API key isn't always convenient. Limiting IPs is a decent way to get 2-factor authentication for a service like hoptoad that tends to run on fixed servers where the IPs aren't changing.
4 Posted by sderocher on 16 Feb, 2010 04:41 PM
Hi,
We'll keep that in mind, and keep you posted should me make any movement on it.
Thanks,
Steven
Matt Jankowski resolved this discussion on 28 Apr, 2010 03:01 PM.