[#1940] Applied rate limit for requests with bad admin_token. Added doc warnings on admin_token setting.

2020-07-14 11:58:41 +03:00 · 2020-07-14 11:58:41 +03:00 · 9b225db7d8
commit 9b225db7d8
parent cf3f8cb72a
4 changed files with 28 additions and 6 deletions
--- a/config/description.exs
+++ b/config/description.exs
@ -2008,13 +2008,15 @@ config :pleroma, :config_description, [
    label: "Pleroma Admin Token",
    type: :group,
    description:
-      "Allows to set a token that can be used to authenticate with the admin api without using an actual user by giving it as the `admin_token` parameter",
+      "Allows to set a token that can be used to authenticate with the admin api without using an actual user by giving it as the `admin_token` parameter (risky; use HTTP Basic Auth or OAuth-based authentication if possible)",
    children: [
      %{
        key: :admin_token,
        type: :string,
        description: "Admin token",
-        suggestions: ["We recommend a secure random string or UUID"]
+        suggestions: [
+          "We recommend NOT setting the value do to increased security risk; if set, use a secure random long string or UUID (and change it as often as possible)"
+        ]
      }
    ]
  },