By default, your Pizzly instance does not require an authentication method to access its data. It's great for local development but not recommended if you plan to use it with production data.
In this guide, you will learn how to secure your Pizzly instance.
Pizzly use environment variables to restrict access to the instance. Here's short overview
| Name | Services protected |
|---|---|
| DASHBOARD_USERNAME | Dashboard |
| DASHBOARD_PASSWORD | Dashboard |
| SECRET_KEY | API, Proxy |
| PUBLISHABLE_KEY | Auth, Proxy |
Your Pizzly dashboard can be protected behind a username & password, using the Basic access authentication method. DASHBOARD_USERNAME is the username.
Your Pizzly dashboard can be protected behind a username & password, using the Basic access authentication method. DASHBOARD_PASSWORD is the password.
Once both are set, your browser will prompt an authorization window:
Your SECRET_KEY should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any request to the API and Proxy services, without restriction.
Once set, authenticate requests to your Pizzly instance by using a basic authorization method and provide the SECRET_KEY as username (without password):
curl -X GET "/api/"
-u "$SECRET_KEY:"Your PUBLISHABLE_KEY isn’t secret and shouldn't be considered as is. Publishable keys only have the power to make auth & proxy requests. And requests to the proxy service can be deactivated (learn more).
Most PaaS provides guides on how to configure environments variables on their platform:
- Heroku (Configuration and Config Vars)
- Platform.sh (Variables)
If you have SSH access to your server, you can use a configuration file.
-
In the root directory of your Pizzly project, open the
.envrcfile. If you don't have one, you can copy the.envrc.examplefile with this command:cp .envrc.example .envrc -
In that file, heads to the "Secure" section. It should look something similar to this:
# # Secure your instance # # 1. Secure access to the dashboard # export DASHBOARD_USER="" export DASHBOARD_PASSWORD="" # # 2. Secure requests to the API # export SECRET_KEY="" export PUBLISHABLE_KEY=""
-
Update each environment variables with new values. Make sure to generate unguessable keys. A password manager can help a lot here.
-
Accept the changes with:
direnv allow
-
Restart your server for the changes to take effect. Locally, you will have to enter:
yarn build && yarn start -
Redeploy your instance
Pizzly's proxy accepts requests having a valid publishableKey. This means that someone that knows your publishableKey can query an API using your Pizzly's instance.
As the key is publicly available on your frontend, this might feel insecure, but remind that the publishableKey is used only to authenticate the request with Pizzly. An attacker would need both a valid publishableKey and a valid authId to make request to a third-party API.
Still, if you aren't feeling safe to accept frontend requests, you can easily refuse them.
-
Go to your host configuration settings or open your configuration file (
.envrc) config file -
Set the following environment variable to "TRUE":
PROXY_USES_SECRET_KEY_ONLY=TRUE
-
Restart or redeploy your instance. On most PaaS (e.g. Heroku), the instance is automatically restarted when you update an environment variables.
Now that your Pizzly instance is secured, here are a few guides that might be helpful: