[Koha-bugs] [Bug 30962] REST API: Add endpoint /patrons/:patron_id/check_password
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Jul 29 03:22:31 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
--- Comment #9 from David Cook <dcook at prosentient.com.au> ---
Regarding security, I've been thinking more about this, and in theory you could
lock down all non-public API routes by IP address, if your organisation has
static IP addresses and requires VPNs for working from home (WFH).
We do this on other systems that have admin APIs.
It's possible that you might need to provide a third-party access to an admin
API (like this one in bug 30962), but then you can add their IP address to the
allow list.
It just adds another layer of security over top of the existing security
measures.
We could promote the idea by adding some configuration directives to Apache
that allow all IP addresses for both public and non-public API routes and
include some comments about how they can lock down the non-public API routes by
doing X, Y, and Z.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list