lewis.moe
+8
TODO.md
+8
TODO.md
···
239
239
- [x] SSRF protection for outbound requests.
240
240
241
241
## Lewis' fabulous mini-list of remaining TODOs
242
+
- [ ] The OAuth authorize POST endpoint has no rate limiting, allowing password brute-forcing. Fix this and audit all oauth and 2fa surface again.
242
243
- [ ] DID resolution caching (valkey).
243
244
- [ ] Record schema validation (generic validation framework).
244
245
- [ ] Fix any remaining TODOs in the code.
···
289
290
- [ ] Invite management (uses `com.atproto.admin.getInviteCodes`, `disableInviteCodes`)
290
291
- [ ] Server stats (uses `com.bspds.admin.getServerStats`)
291
292
293
+
## Future: private data
294
+
I will see where the discourse about encrypted/privileged private data is at the current moment, and make an implementation that matches what the bsky team will likely do in their pds whenever they get around to it.
295
+
Then when they come out with theirs, I can make adjustments to mine and be ready on day 1. Or 2.
296
+
297
+
We want records that only authorized parties can see and decrypt. This requires some sort of federation of keys and communication between PDSes?
298
+
Gotta figure all of this out as a first step.
299
+