Is it safe to expose everything but webtoken_for_localhost without localhost check?

[ouuan]

I'm disabling the localhost check and putting everything behind an authentication tool. The problem is that, when the authentication expires, because of the cache (service worker), it doesn't authenticate again when I refresh the page, so some API calls will fail. Then I need to force-refresh the page or authenticate again in other ways.

So I want to know whether it is safe to expose everything but webtoken_for_localhost without localhost check. Or is there a better solution?

[almarklein]

Authentication basically works in two phases:

• You establish a form of trust, and then give the client a webtoken.
• Then this webtoken is used for all future API calls, including calls to renwe the webtoken.

In the default run.py the trust for step 1 is established by checking for localhost. You can replace this with something else, i.e. determine in another way that the client is legit, and give the client a webtoken.

You may also be able to disable the webtoken altogether, but I would not recommend that.