[#1940] Applied rate limit for requests with bad admin_token. Added doc warnings on admin_token setting.

2020-07-14 11:58:41 +03:00 · 2020-07-14 11:58:41 +03:00 · 9b225db7d8
commit 9b225db7d8
parent cf3f8cb72a
4 changed files with 28 additions and 6 deletions
--- a/docs/configuration/cheatsheet.md
+++ b/docs/configuration/cheatsheet.md
@ -815,6 +815,8 @@ or
 curl -H "X-Admin-Token: somerandomtoken" "http://localhost:4000/api/pleroma/admin/users/invites"
 ```

+Warning: it's discouraged to use this feature because of the associated security risk: static / rarely changed instance-wide token is much weaker compared to email-password pair of a real admin user; consider using HTTP Basic Auth or OAuth-based authentication instead.
+
 ### :auth

 * `Pleroma.Web.Auth.PleromaAuthenticator`: default database authenticator.