Currently,
- Anyone on a machine running IPFS can access the IPFS API over the HTTP interface. This means any user can, e.g., read any running daemon's private keys.
- Anyone on a machine can run an IPFS server on the standard IPFS port and the IPFS client will blindly use it. This means that a malicious user could impersonate the IPFS server.
Solutions:
- Use unix domain sockets. The daemon could expose the API over one or more unix domain sockets. If multiple sockets are used, administrators could control access to various APIs using standard unix permissions (this doesn't require multiple sockets but that might make implementation easier).
- Use HTTP authentication and store some API key in the IPFS directory. With this method, care must be taken to authenticate both ways.
Stebalien
All 7 comments
We, at INFURA, really need to work on some kind of implementation for authentication of the API. This element, indeed, has a priority a little higher than developing ipfs-cluster 馃槵.
I know @jbenet you told me that _IPFS daemon is not meant that way_. But the need is there, to provide a daemon to people to upload and pin files. I had a quick conversation at DevCon2 with @whyrusleeping, and was suggested to build a specification, to discuss and implement.
So my question: Where do we move this conversation, so I can start a specification and implement it? In this repository? In ipfs/specs?
Thank you y gracias por la paciencia, los 煤ltimos meses han sido una locura!
HJ.-
hermanjunge
on 13 Oct 2016
There is also https://github.com/ipfs/go-ipfs/issues/1532
Kubuxu
on 13 Oct 2016
@Kubuxu Cool. @jbenet told me there was a more mature issue. So, that was it 馃槃
Thanks!
hermanjunge
on 13 Oct 2016
I like this a lot.
sebs
on 14 Oct 2016
Any update on this ? For now, we just put the IPFS API behind a wireguard but that can be very profitable to have a way to add auth in the IPFS API for ACL.
NotBad4U
on 6 Dec 2019
No. The current way to do this is to stick an NGINX proxy out in front of the API and authenticate with that.
Stebalien
on 7 Dec 2019
If I understand correctly, the current setup means anyone on localhost is privileged to interact with the API?
scanlime
on 3 Sep 2020
Related issues
whyrusleeping
路
4Comments
daviddias
路
3Comments
0x6431346e
路
3Comments
ArcticLampyrid
路
3Comments
magik6k
路
3Comments
Most helpful comment
We, at INFURA, really need to work on some kind of implementation for authentication of the API. This element, indeed, has a priority a little higher than developing
ipfs-cluster馃槵.I know @jbenet you told me that _IPFS daemon is not meant that way_. But the need is there, to provide a daemon to people to upload and pin files. I had a quick conversation at DevCon2 with @whyrusleeping, and was suggested to build a specification, to discuss and implement.
So my question: Where do we move this conversation, so I can start a specification and implement it? In this repository? In
ipfs/specs?Thank you y gracias por la paciencia, los 煤ltimos meses han sido una locura!
HJ.-