Front End Implementation - Read Only #3099
Replies: 2 comments 4 replies
-
@smittysmee so the client SDKs only perform evaluation so there is no issue there with potentially modifying state. But I see what you are saying that anyone could use the same token and arbitrarily call our REST API via JavaScript to modify state. You can put the entire API in read only mode, even if you are using a SQL DB for backend via setting the You can also create tokens scoped to a specific namespace: https://docs.flipt.io/authentication/methods#static-token, however that does allow write as well. Another potential solution is put Flipt behind a reverse proxy like Caddy or NGINX and block all requests to Would any of these work for you while we implement a more 'correct' way? We are currently working on RBAC / Authz which would likely also solve this |
Beta Was this translation helpful? Give feedback.
-
Interesting thoughts. How much longer are you thinking on the RBAC solution? |
Beta Was this translation helpful? Give feedback.
-
@markphelps - Are there docs related to read-only access with regards to Javascript implementations? Apart from opening up a service to then call flipt in K8s, I am unsure on how to proceed with implementation. With a JWT or static token, I would be concerned with a malicious end-user modifying flags within a specific namespace.
https://github.com/flipt-io/flipt-client-sdks/tree/main/flipt-client-browser
Any tips would be helpful
Beta Was this translation helpful? Give feedback.
All reactions