Front End Implementation - Read Only

[smittysmee]

@markphelps - Are there docs related to read-only access with regards to Javascript implementations? Apart from opening up a service to then call flipt in K8s, I am unsure on how to proceed with implementation. With a JWT or static token, I would be concerned with a malicious end-user modifying flags within a specific namespace.

https://github.com/flipt-io/flipt-client-sdks/tree/main/flipt-client-browser

Any tips would be helpful

[markphelps]

@smittysmee so the client SDKs only perform evaluation so there is no issue there with potentially modifying state. But I see what you are saying that anyone could use the same token and arbitrarily call our REST API via JavaScript to modify state.

You can put the entire API in read only mode, even if you are using a SQL DB for backend via setting the storage.read_only property: https://docs.flipt.io/configuration/storage#read-only-mode . You could have one instance of Flipt available internally that you use to update state, and then another instance available for evaluation that is in read only mode that connects to the same database, like a read replica.

You can also create tokens scoped to a specific namespace: https://docs.flipt.io/authentication/methods#static-token, however that does allow write as well.

Another potential solution is put Flipt behind a reverse proxy like Caddy or NGINX and block all requests to /api/v1/ which is contain 'management API' routes.

Would any of these work for you while we implement a more 'correct' way?

We are currently working on RBAC / Authz which would likely also solve this

[smittysmee]

@markphelps

Interesting thoughts.
I don't think these would fly rolling them out to production. I may just have to wrap it behind a service for the moment or put items in the JWT if we do bulk evaluations on login.

How much longer are you thinking on the RBAC solution?

[markphelps]

We're hoping to have it out in the next release, so 1-2 weeks

[smittysmee]

Is there a beta release? Would be awesome to get access to it and help test!

[markphelps]

There will be! I'll send you the beta build once ready. You can follow the progress on this PR: #3008

We're using it as a base branch and will be merging other PRs into it as we go to break down the feature into more reviewable chunks.

Question: would you prefer to use JWT or static token for authn/z? We plan to add authz support for OIDC login, GitHub, and JWT but need to think through static token support a little bit I think

[smittysmee]

Static token allows for ease of adoption. JWT allows for temp access. For our implementation, static token is being used for the backend. I would consider using JWT for FE. Both read only would be ideal. I have the PMs go through OIDC via github for management.