Only allow authorized requests to app components in Fermyon Cloud

[Corbie-42]

The request execution in the Fermyon Cloud is limited. E.g. the starter plan includes 100,000 requests per month and the request execution limit is 1,000 requests per second (see FAQ: Quota Limits).

So if an attacker knew the URL of the app, they could send 1,000 requests over 100 seconds and the limit is exceeded.

Now I could try to prevent that from happening, e.g. by using an API gateway, that only forwards authorized requests. This is never a bad idea, but only partly solves the issue.
Even with TLS, the host name of the app is exposed, so in

https://user42:awesomePa$$word1@example-app-sdgryh1.fermyon.app?token=eyf00ba12

the part example-app-sdgryh1.fermyon.app is transferred unencrypted. So any man-in-the-middle (or potentially next to it) knows, where the request was sent to and therefore can easily take down my app in 100 seconds with simple GET requests.

So is there any way to prohibit unauthorized requests, if someone knows the URL of my app?

[Corbie-42]

A solution, that is already working, would be to configure some kind of access token in the path, because that is part encrypted:

[[trigger.http]]
route = "/5F7B50F5FB6E54EDE826199887FBB972/cart/checkout"
environment = { TOKEN = "5F7B50F5FB6E54EDE826199887FBB972" }

This has some downsides:

1. you have to strip the TOKEN, when handling requests
2. the TOKEN appears in the logs:

   {
      ...
      "spin-matched-route": "/5F7B50F5FB6E54EDE826199887FBB972/cart/checkout",
      ...
      "spin-raw-component-route": "/5F7B50F5FB6E54EDE826199887FBB972/cart/checkout", 
      "spin-component-route": "/5F7B50F5FB6E54EDE826199887FBB972/cart/checkout"
   }

Nevertheless, from a security/billing standpoint, this might be a first workaround.