You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@fabian-rump I'd like your thoughts/input on this:
I can define scopes specific applications/tokens are allowed to access, and can limit the ability to use an endpoint to certain scopes (I could probably use the scopes to limit other stuff to, but let's go with just the endpoint for now).
There is one default scope public and the additional scopes checkout, deposit and admin (it's probably obvious what is for what). Keeping in mind that the public scope also requires an app/token, i.e. that public operations are also only possible for "trusted" clients, my proposal would be
cart operations (show, create, update): checkout
look up product or user by identifier: public (could lead to a slurping of all user data though, so will need to be more fine-grained later)
product operations (show and index): public (could leak the current stock, but who cares?)
cart payment: checkout
transaction filter: public
deposit: deposit
user show: public
Do you think that would be enough to cover our bases for Aachen?
I think your proposal is perfectly fine for the Aachen deployment/scenario. Though we could agree on a more fine-grained access scheme later (e.g. read-only permission for certain entities etc.)
Deposits in AC should only be possible from a protected client.
The text was updated successfully, but these errors were encountered: