-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add provisioning API #27
Conversation
How about, instead of just a shared secret, a JWT with that secret as key and as a claim it has the user id? That way you could give the user their key so that they could access the provisioning API without compromising security? |
For JWTs soru would prolly use https://www.npmjs.com/package/jsonwebtoken |
I'm not sure how useful that would be, since the integration manager is probably on the user's or bridge's server. mautrix-manager will at least just proxy everything. Anyway, changed the request handling a bit so that the user ID is in a custom field and thus JWT support can be added easily |
soru isn't sure how useful it is for now, either, but perhaps some other matrix feature or thelike is added down the road that the client would want to directly communicate with the bridge. |
const puppets = await this.bridge.provisioner.getForMxid(req.userId) as IPuppetWithDescription[]; | ||
if (this.bridge.hooks.getDesc) { | ||
for (const data of puppets) { | ||
data.description = await this.bridge.hooks.getDesc(data.puppetId, data.data); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps add delete data.data
as that object might contain rather sensitive information that someone using the API shouldn't be able to fetch?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it always the integration manager or user themselves fetching the data?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Soru is thinking of expanding this to e.g. have matrix-appservice-discord use it so that you can seemlessly start dms in mx-puppet-discord by inviting matrix-appservice-discord ghosts and it'd use that api, and you probably wouldn't want to allow access to that data, in that case.
Perhaps, to get back to the JWT idea, something with different secrets for different scopes? 🤔
No description provided.