🚀 Feature: Auto Endpoint and API Key variables

[DEADSEC-SECURITY]

🔖 Feature description

In docs if we want to use services we have to manually set APPWRITE_FUNCTION_ENDPOINT and APPWRITE_FUNCTION_API_KEY (possibly even more but those are the main ones).
My question is if these are basically required why not just have appwrite auto set them? Or at least have the option in settings so they are set automatically.

Following the same logic for API key we could even have auto rotation of keys by doing some settings in the function and it would add the env variables auto and every n time would refresh for security.

I think this was clear but let me know what you guys think

🎤 Pitch

Well these env variables are basically used 99% of the time so to prevent human errors would be cool to have them auto setted or at least have the option to do so.

Also with the injection of api key env we could later on have auto key rotation which would be a big security improvement in my opinion.

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[Meldiron]

Regarding endpoint, we could put containers on shared network with proper firewall config and allow appwrite as endpoint. Doing http:https://appwrite/v1 (which could be default) would then automatically talk to your API. Main problem here is security, we need to make sure everything is properly isolated.

Regarding API Keys, that's a bit more tricky. A solution I can see is to allow selecting scopes in functions settings, just like you can select scopes when creating API key.
By doing that, Appwrite would automatically generate JWT key that gives selected scopes and expires with execution (max duration). Again, using this ENV var as default in the SDK is something we could do.Only problem I see here is naming convention. We can't really call it JWT, as JWT is a way for server to impersonate a client.

With both of these in place, an example code in Appwrite Function could potentially look like this:

const sdk = require("node-appwrite");

module.exports = async function (req, res) {
  const client = new sdk.Client();
  const users = new sdk.Users(client);

  res.json({
    users: await users.list(),
  });
};

Notice how project ID, endpoint and API Key are not being set. All would work over ENV vars that are used as defaults.

[DEADSEC-SECURITY]

@Meldiron thats exactly what I was thinking about.
Seems like a plan. Im free to help in anyway I can, Im a python dev so not sure how much of a use I could be for this but anyway let me know if I could do anything.

[DEADSEC-SECURITY]

@Meldiron any updates? Do you need help?

[stnguyen90]

Regarding endpoint, we could put containers on shared network with proper firewall config and allow appwrite as endpoint.

@Meldiron, one thing to keep in mind about this is HTTPS. If _APP_OPTIONS_FORCE_HTTPS is enabled, the request will be redirected to https, but the certificate would probably be self signed, so the function code would need to make sure to call client.setSelfSigned(true).

[DEADSEC-SECURITY]

Well if its internal networking @stnguyen90 that wouldnt be a problem I think. The container would use the internal IP and not the public IP or domain I think. At least thats what got from @Meldiron

[stnguyen90]

Well if its internal networking @stnguyen90 that wouldnt be a problem I think. The container would use the internal IP and not the public IP or domain I think. At least thats what got from @Meldiron

@DEADSEC-SECURITY, I was pointing out about HTTPS vs HTTP rather than the IP/hostname.

[DEADSEC-SECURITY]

Any news on this feature request?