Allow protecting the 'bw serve' endpoint with an Authorization Header

Currently the bw serve command defaults to only listening on localhost which is already a good thing.
But still, all applications on the system would be able to access the Passwords without any authentication. That is fine, when bw serve is just run a short time, but for usecases where you want to run it for a longer time, it just does not feel right.

An easy fix for it would be an (optional) parameter on the command to require an Authorization Header. The parameter could accept a token that is checked or if not specified, defaults to the BW_SESSION key that already exists.

To access the API, you would then have to use it like this: curl -H "Authorization: Bearer $BW_SESSION" http://localhost:8087/list/object/items

This would improve the security a lot while keeping it simple.

What do you think?

any thoughts on this? I think this is a possible security issue that can easily be fixed.

I agree. Although this server would not be probably sufficiently secure anyway, even with this improvement: This kind of service is normally expected to run behind a reverse proxy. Maybe you can install the “bw serve” as well as the reverse proxy into a docker container and expose it through the reverse proxy interface.