Katie
Posted on December 7, 2020
I've been playing w/ Netlify Identity and just discovered that Postman-friendly HTTPS API endpoints for managing Netlify Identity are wide open to the whole internet (which kind of makes sense, since they expose the sorts of actions you'd normally expose with signup forms). However, they're not clearly documented.
I'm trying to seed my holiday letter website with a bunch of family members' e-mail addresses. I don't want them to receive signup confirmation e-mails -- I just want them to be "users" of my system.
I'd been thinking about using a single simple password to protect the whole site. Netlify charges money for that, but they don't charge me anything to set up 100 users and give them all the same password.
Plus, now someone has to know both the e-mail address of one of my family members and the common password (well, or just have control of their email, I suppose ... they could reset the password) to get into my site.
I was also considering Auth0's "magic link" passwordless authentication, so that's essentially the same level of security I was looking at in the first place.
(Netlify doesn't currently offer passwordless authentication.)
Surfing "endpoints" in Netlify's GoTrue library that powers Identity, I couldn't figure out how to authenticate to the API for managing users.
Turns out there isn't any authentication -- the endpoints are open to the whole internet.
I figured this out when I gave up and simply tried performing an HTTP POST
operation in Postman against https://my-site.netlify.app/.netlify/identity/signup
with a Content-Type
header of application/json
and a body of {"email": "example@mydomain.com","password": "correcthorse"}
.
At first, I received an HTTP response with the Forbidden
status code 403
, and a response body of {"code":403,"msg":"Signups not allowed for this instance"}
.
I flipped Registration back from "Invite-only" to "Open" at https://app.netlify.com/sites/my-site/settings/identity
and tried again.
This time, I received an HTTP response with the OK
status code 200
, and a response body of:
{
"id": "987654321",
"aud": "",
"role": "",
"email": "example@mydomain.com",
"confirmed_at": "2020-12-07T17:14:01.856778419Z",
"app_metadata": {
"provider": "email"
},
"user_metadata": null,
"created_at": "2020-12-07T17:14:01.851876Z",
"updated_at": "2020-12-07T17:14:01.856903Z"
}
Visiting https://app.netlify.com/sites/my-site/identity
, I saw example@mydomain.com
in the list of users.
Checking my e-mail, I had not received an email from Netlify.
Perfect.
I flipped Registration back from "Open" to "Invite-only" before anyone else on the internet got up to any mischief.
It'd be nice if Netlify Identity had some sort of admin-protected way of creating users with prepopulated passwords while registration is "invite-only," but oh well. This will do.
Posted on December 7, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.