suggestion: anonymous access should be set explicitly

[fyears]

Hi,

I start using webdis today, and want to expose it to public internet. And I want it password protected and disable the anonymous access.

I find the ACL part is confusing.

Firstly I try

  "acl": [
    {
      "http_basic_auth": "user:password",
      "enabled": [ "*" ]
    }
  ],

But I can still access the api without username and password! It's very surprise to me.

Later I figure out the correct way:

  "acl": [
    {"disabled": ["*"]},
    {
      "http_basic_auth": "user:password",
      "enabled": [ "*" ]
    }
  ],

It seems to me that the anonymous access is somewhat special: it is always enabled unless explicitly disabled by hand. acl is allow-list style except for the anonymous access.

Maybe it's not a good idea from the security point of view? I suggest changing the code to fully allow-list style, no special treatment for the anonymous access. You can of course enable it by default by providing the example webdis.json, but after users delete that part, the anonymous access should be disabled as well.

[jinlxz]

yes, I see the same issue, previously I thought the authentication didn't work, it's really confusing.

[nicolasff]

Enabling access by default is by design.

You could make the same argument about Redis, that it can be used without credentials by default. From the Redis docs:

In the default configuration, Redis 6 (the first version to have ACLs) works exactly like older versions of Redis. Every new connection is capable of calling every possible command and accessing every key

Just like you need to secure your Redis instance and configure it correctly when you deploy it, the same applies to any other service – including Webdis.

[fyears]

maybe at least state the special notes in readme?