Skip to content

Security

KiraLT edited this page Oct 10, 2021 · 8 revisions

UI & API protection

Authorization

API can be protected by setting the API key in the config. You will be required to enter a key each time you visit UI.

When using API, you will also need to provide Authorization header:

Authorization: Bearer <api key>

Env variable

The easiest way to set API key is via ENV variable:

API_KEY="my password"

Configuration file

You can also add apiKey to configuration file:

{
    "security": {
        "apiKey": "my password"
    }
}

To use the config file you will need to pass JSON config file to any run command with -c option (e.g. npm run start -c config.json).

Steam API

When API key is provided, stream API is protected using JSON Web Token.

You can also have different key for streaming API using security.streamApi.key config parameter.

Example usage:

import { sign } from 'jsonwebtoken'

const key = 'my secure API key'
const url = `/stream/${encodeURIComponent(
    sign(
        {
            torrent: '08ada5a7a6183aae1e09d831df6748d566095a10',
            fileType: 'video',
        },
        key
    )
)}`

This API will have encoded parameters, so it's safe to share it publicly. It will automatically expire (configurable via security.streamApi.maxAge).

Clone this wiki locally