Meilisearch
Remove the update of an API Key for security related fields #469
Locked
gmourier
started this conversation in
Feedback & Feature Proposal
Replies: 1 comment
-
|
Following the v0.28 release, this discussion is now locked. We encourage you to create a new thread if needed. Thank you ✨ |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi folks 👋
While working on v0.28, we would like to remove the ability to update
actions,indexesandexpiresAtfields for an API key for security reasons.Indeed, imagine that your client code is using an API Key and that a person authorized to update the keys changes the permissions of this particular one. The key could suddenly have a privilege escalation as a non-desired side-effect.
While this could introduce a potential frustration in the developers' workflow, we tend to favor security by design, so we'd like to know what you think about that choice.
Do you have any examples where updating an existing API key is critical rather than creating an API key and replacing it if permissions need to be changed?
How often do you need to update the permission of an API Key, and why?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions