From f1736eb7ad80dd9b744dcd8f2479a3b77ac4ecb2 Mon Sep 17 00:00:00 2001
From: Angus Warren <angus@warren.bz>
Date: Wed, 3 Jun 2020 18:22:41 +0800
Subject: [PATCH] Updated README future plans

---
 README.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5b524da..4490783 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,23 @@
-# Azglue - A forwarder hosted in Azure to Secure the IT-Glue API.
+# AzGlue, a secure API gateway for IT Glue
+This project has been forked from [Kelvin Tegelaar](https://github.com/KelvinTegelaar)'s repo hosted on [KelvinTegelaar/AzGlue](https://github.com/KelvinTegelaar/AzGlue) and originally posted to his (fantasic) blog [cyberdrain.com](https://www.cyberdrain.com/documenting-with-powershell-handling-it-glue-api-security-and-rate-limiting/).
+
+I'll be aiming to implement the following features to improve the security:
+- [x] Allow local dev, testing and deployment with VSCode's [Azure Functions extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions).
+- [x] Prevent misconfigured gateways from accepting empty API keys.
+- [x] Restrict returned data from the /organizations endpoint to honor OrgId whitelisting.
+- [ ] Allow clients to post new passwords without allowing them to retrieve existing passwords.
+- [ ] Allow whitelisting specific API endpoints.
+- [ ] When relaying requests, allow per-endpoint filtering and validation of:
+  - [ ] Supported HTTP methods (POST/PATCH/PUT/DELETE).
+  - [ ] Query string paramaters.
+  - [ ] Payload data sent to IT Glue.
+  - [ ] Payload data returned to the client.
+- [ ] Per-client API keys  
+- [ ] System to restrict returned data relevant to the specific client PC making the request. 
+- [ ] Move IT Glue API key to Azure Key Vault.
+
+
+## Original README
 See https://www.cyberdrain.com/documenting-with-powershell-handling-it-glue-api-security-and-rate-limiting/ for more information.
 
 After my previous blogs the comment I’ve received most was worries about the API key. If they key gets stolen you’re giving away the keys to the castle. The API has no limitations and with a leaked key all your documentation could be download. I’ve been discussing this issue with IT-Glue for some time but haven’t gotten a real solution yet. This has forced me to look for a solution myself. I gave myself some requirements for the solution.