Add provisioning API #27
Conversation
|
How about, instead of just a shared secret, a JWT with that secret as key and as a claim it has the user id? That way you could give the user their key so that they could access the provisioning API without compromising security? |
|
For JWTs soru would prolly use https://www.npmjs.com/package/jsonwebtoken |
|
I'm not sure how useful that would be, since the integration manager is probably on the user's or bridge's server. mautrix-manager will at least just proxy everything. Anyway, changed the request handling a bit so that the user ID is in a custom field and thus JWT support can be added easily |
|
soru isn't sure how useful it is for now, either, but perhaps some other matrix feature or thelike is added down the road that the client would want to directly communicate with the bridge. |
| const puppets = await this.bridge.provisioner.getForMxid(req.userId) as IPuppetWithDescription[]; | ||
| if (this.bridge.hooks.getDesc) { | ||
| for (const data of puppets) { | ||
| data.description = await this.bridge.hooks.getDesc(data.puppetId, data.data); |
There was a problem hiding this comment.
perhaps add delete data.data as that object might contain rather sensitive information that someone using the API shouldn't be able to fetch?
There was a problem hiding this comment.
Isn't it always the integration manager or user themselves fetching the data?
There was a problem hiding this comment.
Soru is thinking of expanding this to e.g. have matrix-appservice-discord use it so that you can seemlessly start dms in mx-puppet-discord by inviting matrix-appservice-discord ghosts and it'd use that api, and you probably wouldn't want to allow access to that data, in that case.
Perhaps, to get back to the JWT idea, something with different secrets for different scopes? 🤔
No description provided.