Rename `instance_id` to `Authorization` header in feature flag API
Currently we authorize feature flag's API requests using field
instance_id, which is incorrect since this field should just identify particular machine executing client code(pod_id, hostname...).
This issue originated from this thread
Why do we think that
instance_id is for identifying host: https://unleash.github.io/docs/api/client/register
Docs for security mechanism: https://unleash.github.io/docs/securing_unleash#securing-the-client-api
I think we should just rename field
instance_id to something like
token and verify it the same way we verify
For some period of time we can fallback
token header to
instance_id, if it's present in the api request.
This way we will neither expose current feature flags for unauthorised access, nor brake compatibility for clients who already use
instance_id as mechanism for authorisation
And we can remove backward compatibility in latter major release(e.g. 13.0).
The only problem with this solution would be if we want to use
instance_id for its main purpose(collecting statistics about feature flag usage) before we deprecate its current usage.
- I'm not sure if clients for all programming languages support this mechanism of authentication.
- May be we also can add option of making feature flag api public as it is by default in Unleash.(I'm not absolutely sure if this statement is correct)