API authentification

[Maxou44]

Introduce a handshake between the load balancer and the transcoder (based on a secret ?), actually someone can register as transcoder on your laod balancer, it sucks a bit for the security 😒

[drouarb]

Maybe use a JWT to sign the request

[Maxou44]

JWT can be great solution to be sure the request wasn't edited but I don't see how it could help us to know if it's a "real transcoder" instead of someone trying to call the API?
It's necessary to have a secret shared between transcoders and the load balancer no?

[drouarb]

I’m not sure but I think since JWT use a HMAC signature, we can sign a query with a shared secret, it prevent from sending the token directly in query, also we can force to have a date header to prevent someone reusing the query if he stole it with a MITM Attack, finally, it prevents from editing the content of the request

[davidjameshowell]

Has any plans been made on if this will be executed in the future? Even a simple password handshake would be nice in the interim.

[Maxou44]

It's on the roadmap, no ETA at the moment, feel free to make a PR 👌

[magn2o]

I've been tinkering with something (yet unreleased) to this effect within my Docker containers, wherein an environment variable is set containing a list of whitelisted transcoder IPs (TRANSCODE_WHITELIST=) that will populate iptables rules on startup. Perhaps something similar could be introduced within the load balancer? It could simply check all incoming transcoder connections against the whitelist before accepting them?

[Maxou44]

I think token authentification is a best solution to easily support upscale and downscale

[magn2o]

Still goofing around so no PR yet, but here's rudimentary proof-of-concept for shared authentication: UnicornLoadBalancer, UnicornTranscoder.

A token can either be specified (env SERVER_AUTH) or it will be automatically generated at startup.