interledger
[Auth] Move interaction routes to a different port
Context
The auth package currently has the GNAP routes and the interaction routes on the same port. The GNAP routes need to be exposed to the world while the interaction routes do not. Hence, we'd like to move the interaction routes to their own port.
To clarify:
- all the routes that are specified here stay on the current port
- all the remaining routes (those used for interacting with the grant) move to a new port
Todos
- [ ] move interaction routes to own port
Isn't problematic only accept/reject route?
These two are most problematic in my view. For example, if Rafiki Auth is exposed, then on the checkout of Rafiki Boutique, I can use probably any payment pointer I want. Because for accepting grant, I only need interaction and nonce. For /finish route, that is probably ok to be exposed right? Because redirect url is specified in grant if I am not mistaken. So it will be always redirected to correct URL. There can be issue only in case of MITM attack.
Just a food for thought :)
@sabineschaller on the link that you provided (https://openpayments.dev/apis/auth-server/), I cannot see any routes.
I can take this ticket if we specify what routes should be exposed and what not.
Suggestion:
Leave as it is with the exception of /accept and /reject API call. These two are IMHO most sensitive