Implement mandatory authentication for all endpoints #514
Description
Summary
Currently, Fluxygen endpoints are public by default. Security is only applied if a user manually adds a filter like '${header.apikey}' == '#{flowkey}'. If a customer forgets this step, their endpoint is open to the entire internet. We need to move the responsibility of security from the customer to the platform.
The Problem
- Risk of Exposure: Customers (like Anthura) are often unaware that their endpoints have zero authentication by default.
- Human Error: Relying on users to manually configure security headers for every flow is a major security risk.
- Encryption ≠ Authentication: While traffic is encrypted (HTTPS), there is no "bouncer" at the door to check who is calling the endpoint.
Proposed Requirements
- Change the Default: Endpoints should be "Closed" or "Private" by default.
- Built-in Auth: Implement a standardized authentication layer (e.g., API Keys or Tokens) that works automatically without requiring manual filters in every flow.
- User Awareness: Ensure the UI clearly shows whether an endpoint is secured or public.
Impact
This change will prevent accidental data leaks and ensure that Fluxygen meets modern SaaS security standards. We need the backend team to investigate the best way to implement a global authentication gatekeeper that doesn't break existing flows.