Rename `instance_id` to `Authorization` header in feature flag API
Summary
Currently we authorize feature flag's API requests using field instance_id
, which is incorrect since this field should just identify particular machine executing client code(pod_id, hostname...).
This issue originated from this thread
Why do we think that instance_id
is for identifying host: https://unleash.github.io/docs/api/client/register
Docs for security mechanism: https://unleash.github.io/docs/securing_unleash#securing-the-client-api
Proposed solution
I think we should just rename field instance_id
to something like token
and verify it the same way we verify instance_id
currently.
For some period of time we can fallback token
header to instance_id
, if it's present in the api request.
This way we will neither expose current feature flags for unauthorised access, nor brake compatibility for clients who already use instance_id
as mechanism for authorisation
And we can remove backward compatibility in latter major release(e.g. 13.0).
The only problem with this solution would be if we want to use instance_id
for its main purpose(collecting statistics about feature flag usage) before we deprecate its current usage.
Unknowns
- I'm not sure if clients for all programming languages support this mechanism of authentication.
- May be we also can add option of making feature flag api public as it is by default in Unleash.(I'm not absolutely sure if this statement is correct)