I used to be a principal engineer for the heroku add-ons program.
One issue with hirefire is they request account level oauth tokens that essentially give them ability to do anything with your apps, where Rails Autoscaling worked with us to create a partnership and integrate with our "official" add-on APIs that limits security concerns and are scoped to the application that's being scaled.
Part of the reason for hirefire working the way it does is historical, but we've supported the endpoints they need to scale for "official" partners for years now.
A lot of heroku customers use hirefire so please don't think I'm spreading FUD, but you should be aware you're giving a third party very broad rights to do things to your apps. They probably won't, of course, but what if there's a compromise?
"Official" add-on providers are given limited scoped tokens to (mostly) only the actions / endpoints they need, minimizing blast radius if they do get compromised.
good to know, thanks for that info! Maybe I'll add this into the post.
I actually am a bit confused now figuring out how I gave hirefire access to scale, and how I'd revoke it. But current hirefire docs say:
All new Heroku API integrations will use OAuth exclusively [instead of an API key]... The Heroku API Key provided full access to your account, but with OAuth we're able to limit our access scope. We use the write scope which is the bare minimum we need to provide our autoscaling service. This prevents HireFire from being able to access sensitive information such as your configuration variables.
Is it possible they have switched to a method that reduces the problems you identified?
It is regardless hard to resist when it is both fuller-featured and significatly less expensive than the "official" competitor, and they are apparently very popular with lots of customers. In my budget, it's hard to decide to pay an extra $100/month to avoid potential security issues that apparently lots of other customers are willing to overlook too...
I wonder what keeps hirefire from being an official add-on provider and using more scoped access. Do official providers have to give heroku a %-cut? If so they'd have to raise their prices somewhat, but the price difference is pretty astonishing.
It would be nice if heroku offered more scoped OAuth tokens for API use generally, why does heroku limit the limited scoped tokens to only official add-on partners?
Members
Online