cdupont
commented
6 years ago There is already authorization implemented in the api-server: https://github.com/Waziup/api-server/blob/master/src/proxy.js#L125
However, it is not distinguished from one channel to another. Specific resources should be created in the API-server for each social network: https://github.com/Waziup/api-server/blob/master/src/auth/authZ.js#L37 i.e: const RESOURCE_SOCIALS_SMS = 'Socials_SMS' const RESOURCE_SOCIALS_FACEBOOK = 'Socials_Facebook'
Protection should be added for each POST command (i.e. POST SMS, POST Facebook...): https://github.com/Waziup/api-server/blob/master/src/proxy.js#L125
Resources, scopes and permissions should be added in Keycloak.
Currently any user can send messages on the socials (including SMS). Social channels should be protected with per-user and per-channel authorization.