Securing the new API endpoints for 2.0.8 release
Before we release 2.0.8, we need to properly secure the way the new APIs (#2033 (closed), #2034 (closed)) are exposed.
Currently, our API are not protected by a handler( protection=none), and rely on NGINX (or apache) for protection.
In the current situation, because api.psgi is provided in the same directory as manager.psgi, invoking manager.example.com/api.psgi will still enter api.psgi and allow to serve all manager endpoints with "protection = none"
Solution 1
We could ship api.psgi in a api/htdocs/ directory instead of manager/htdocs, and serve it in a separate vhost (api.example.com)
Solution 2
We could ship api.psgi and manager.psgi in the same directory (manager/htdocs), but modify the manager vhost so that it doesn't allow serving any *.psgi files any more. (The apache config already does this, only manager.psgi can be served by apache at the manager.example.com in the current state of things)
We still serve the api on a dedicated domain name: api.example.com
Solution 3
We fullyintegrate the API into the manager vhost, serve it on the same domain (manager.example.com) and protect the /api/ endpoint like we do in the portal with /config, /sessions etc.
@guimard @clement_oudot what is your favorite approach ?
In summary: do we create a new dedicated Vhost for the new manager apis or not ?