KatieI've been playing w/ Netlify Identity and just discovered that Postman-friendly HTTPS API endpoints for managing Netlify Identity are wide open to the whole internet (which kind of makes sense, since they expose the sorts of actions you'd normally expose with signup forms). However, they're not clearly documented.
I'm trying to seed my holiday letter website with a bunch of family members' e-mail addresses. I don't want them to receive signup confirmation e-mails -- I just want them to be "users" of my system.
I'd been thinking about using a single simple password to protect the whole site. Netlify charges money for that, but they don't charge me anything to set up 100 users and give them all the same password.
Plus, now someone has to know both the e-mail address of one of my family members and the common password (well, or just have control of their email, I suppose ... they could reset the password) to get into my site.
I was also considering Auth0's "magic link" passwordless authentication, so that's essentially the same level of security I was looking at in the first place.
(Netlify doesn't currently offer passwordless authentication.)
Surfing "endpoints" in Netlify's GoTrue library that powers Identity, I couldn't figure out how to authenticate to the API for managing users.
Turns out there isn't any authentication -- the endpoints are open to the whole internet.
I figured this out when I gave up and simply tried performing an HTTP POST operation in Postman against https://my-site.netlify.app/.netlify/identity/signup with a Content-Type header of application/json and a body of {"email": "example@mydomain.com","password": "correcthorse"}.
At first, I received an HTTP response with the Forbidden status code 403, and a response body of {"code":403,"msg":"Signups not allowed for this instance"}.
I flipped Registration back from "Invite-only" to "Open" at https://app.netlify.com/sites/my-site/settings/identity and tried again.
This time, I received an HTTP response with the OK status code 200, and a response body of:
{
"id": "987654321",
"aud": "",
"role": "",
"email": "example@mydomain.com",
"confirmed_at": "2020-12-07T17:14:01.856778419Z",
"app_metadata": {
"provider": "email"
},
"user_metadata": null,
"created_at": "2020-12-07T17:14:01.851876Z",
"updated_at": "2020-12-07T17:14:01.856903Z"
}
Visiting https://app.netlify.com/sites/my-site/identity, I saw example@mydomain.com in the list of users.
Checking my e-mail, I had not received an email from Netlify.
Perfect.
I flipped Registration back from "Open" to "Invite-only" before anyone else on the internet got up to any mischief.
It'd be nice if Netlify Identity had some sort of admin-protected way of creating users with prepopulated passwords while registration is "invite-only," but oh well. This will do.
