weyne/dcs-retribution
1
0
Fork 0
mirror of https://github.com/dcs-retribution/dcs-retribution.git synced 2025-11-10 15:41:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove API key auth; CORS is sufficient.

Browse Source 
The React UI running in a browser can't connect to the backend without
punching a hole for CORS, which isn't done by default. We don't need the
API key to protect from browsers, and anything else running on the
user's machine that can access the backend (that's hosted on only
localhost) already has enough control to do damage without using
Liberation as an attack vector.

https://github.com/dcs-liberation/dcs_liberation
This commit is contained in:
Dan Albert
2022-03-06 01:57:12 -08:00
parent 8165d3bd8c
commit 904602510d
4 changed files with 4 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
client/README.md
View File

@@ -7,20 +7,14 @@ yet.
For development, set the following environment variables when launching DCS
Liberation (the Qt UI):
- `REQUIRE_API_KEY=false`
This will disable API key authentication. The API key is randomly generated at
server startup and we don't currently have a mechanism for communicating that
key to the front-end.
- `CORS_ALLOW_DEBUG_SERVER=true`
This will allow the front-end to make requests to the server, as long as the
front-end is running on http://localhost:3000.
Then, run `npm start` to start the development server. Launch the Qt UI with
`--new-map` to connect the webview to the development server, or navigate to
http://localhost:3000 in your browser.
`--new-map --dev` to connect the webview to the development server, or navigate
to http://localhost:3000 in your browser.
## Available Scripts