Skip to content

Commit

Permalink
Updated README future plans
Browse files Browse the repository at this point in the history
  • Loading branch information
@AngusWarren
AngusWarren committed Jun 3, 2020
1 parent 2431d6e commit f1736eb
Showing 1 changed file with 20 additions and 1 deletion.
21 changes: 20 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,23 @@
# Azglue - A forwarder hosted in Azure to Secure the IT-Glue API.
# AzGlue, a secure API gateway for IT Glue
This project has been forked from [Kelvin Tegelaar](https://github.com/KelvinTegelaar)'s repo hosted on [KelvinTegelaar/AzGlue](https://github.com/KelvinTegelaar/AzGlue) and originally posted to his (fantasic) blog [cyberdrain.com](https://www.cyberdrain.com/documenting-with-powershell-handling-it-glue-api-security-and-rate-limiting/).

I'll be aiming to implement the following features to improve the security:
- [x] Allow local dev, testing and deployment with VSCode's [Azure Functions extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions).
- [x] Prevent misconfigured gateways from accepting empty API keys.
- [x] Restrict returned data from the /organizations endpoint to honor OrgId whitelisting.
- [ ] Allow clients to post new passwords without allowing them to retrieve existing passwords.
- [ ] Allow whitelisting specific API endpoints.
- [ ] When relaying requests, allow per-endpoint filtering and validation of:
- [ ] Supported HTTP methods (POST/PATCH/PUT/DELETE).
- [ ] Query string paramaters.
- [ ] Payload data sent to IT Glue.
- [ ] Payload data returned to the client.
- [ ] Per-client API keys
- [ ] System to restrict returned data relevant to the specific client PC making the request.
- [ ] Move IT Glue API key to Azure Key Vault.


## Original README
See https://www.cyberdrain.com/documenting-with-powershell-handling-it-glue-api-security-and-rate-limiting/ for more information.

After my previous blogs the comment I’ve received most was worries about the API key. If they key gets stolen you’re giving away the keys to the castle. The API has no limitations and with a leaked key all your documentation could be download. I’ve been discussing this issue with IT-Glue for some time but haven’t gotten a real solution yet. This has forced me to look for a solution myself. I gave myself some requirements for the solution.
Expand Down

0 comments on commit f1736eb

Please sign in to comment.