Closed thefirstofthe300 closed 4 years ago
I'm concerned about the lack of security details present in this RFC. In my implementation at least, there is one user in particular who would be all too eager to exploit a partially-secured HTTP API to screw with the bot. Although I don't want to work out all the details right this moment, I do think it's important that we design multiple layers of security into the data server. Perhaps this is a discussion we should have on IRC or Discord at some point?
This RFC is already mostly deprecated. There's a lot of discussion happening on the discord if you fee like checking out the dev channel there :o
@s0ph0s-2 rikai is correct that this RFC is about to undergo a major revision and tbh, it is mostly a collection of semi-organized thoughts on how to build it. It definitely isn't anywhere near finished.
The authentication mechanisms will be major considerations (we are planning to open up the API to third party developers based on our discussions so far so it's an absolute must that we nail it); however, we need to know what the general architecture will look like before we decide how each class of client should authenticate.
The design for the data server.
Also feel free to go ham with this one. :P