Authentication/authorization/user management?

[sverhoeven]

• Anybody can do curl -XPOST http://<some domain on internet>:8080/users -d 'me' to get an account.
• Anybody can pick an existing username and see the data associated with that account.
• No password is needed to authenticate, just pick a username
• Easy to share results by just logging in as same user

I would not like to run this service on the Internet, as is.

Are these features acceptable for others?

[meiertgrootes]

This is indeed an issue. the idea was, that as long as the system was running locally, i.e. brought up by a user on on their own machine, the risk, while present, wasn't very large. Accordingly, due to a lack of time, this was pushed back in priority. Those instances of the Gui that were exposed to the internet during the workshop were placed behind a password protection. I don't know the details of the choices made there, as this was done and hosted via knaw-huc.

[cwmeijer]

We won't host it for the coming milestone so this is not an issue right now.
User shouldnt host it to the internet.