docs: Updated documentation about protecting API endpoint (#36)

Isawan · Aug 16, 2023 · 65ae5ec · 65ae5ec
2 parents af2869f + 1d265c7
commit 65ae5ec
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 5 deletions.
diff --git a/docs/src/private-registry-authentication.md b/docs/src/private-registry-authentication.md
@@ -1,10 +1,16 @@
 # Private Registry Authentication
 
-To authenticate against private registries, the auth token can be inserted into the `terraform_registry_host` postgres table.
+To insert credentials for private registries, the auth token can be updated with an API call.
 
-``` sql
-insert into "terraform_registry_host" ("hostname", "auth_token")
-    values ("example-private-registry.com", "xxxxxx")
+``` bash
+curl  -X POST \
+    -d '{ "data": { "token": "xxxx"} }' \
+    -H 'Content-Type: application/json' \
+    https://localhost:9443/api/v1/credentials/example.com
 ```
 
-An API call to do this is planned.
+Likewise, to delete a credential, the auth token can be deleted via a `DELETE` request.
+
+```
+curl  -X DELETE https://localhost:9443/api/v1/credentials/example.com
+```
diff --git a/docs/src/reverse-proxy.md b/docs/src/reverse-proxy.md
@@ -3,6 +3,12 @@
 The terraform [provider network mirror protocol](https://developer.hashicorp.com/terraform/internals/provider-network-mirror-protocol) requires that the API request be performed over encrypted HTTPS.
 Terrashine itself does not currently perform TLS termination, a reverse proxy must always be deployed to perform this function for a working setup.
 
+## Securing the admin API
+
+Terrashine provides an API endpoint which should be protected by the reverse proxy.
+Endpoints hosted under the `/api/` should be considered privileged and not exposed externally without an authentication layer.
+Currently, authentication should be implemented by the reverse proxy and is not natively supported by terrashine.
+
 ## External Caching
 
 Caching is optional however, terrashine sets `Cache-Control` headers where possible to allow caching by external reverse proxies.
@@ -50,6 +56,12 @@ http {
             # terrashine
             proxy_pass http://localhost:9543;
         }
+        # Deny traffic to the API endpoint
+        # This could be protected by basic auth as well
+        location /api {
+            deny all;
+            return 404;
+        }
     }
 }
 ```
diff --git a/resources/test/nginx/conf.d/default.conf b/resources/test/nginx/conf.d/default.conf
@@ -9,4 +9,10 @@ server {
         # terrashine
         proxy_pass http://localhost:9543;
     }
+    # Deny traffic to the API endpoints
+    # This could be protected by basic auth as well.
+    location /api {
+        deny all;
+        return 403;
+    }
 }