lewis.moe
+8
TODO.md
+8
TODO.md
···
239
- [x] SSRF protection for outbound requests.
240
241
## Lewis' fabulous mini-list of remaining TODOs
242
- [ ] DID resolution caching (valkey).
243
- [ ] Record schema validation (generic validation framework).
244
- [ ] Fix any remaining TODOs in the code.
···
289
- [ ] Invite management (uses `com.atproto.admin.getInviteCodes`, `disableInviteCodes`)
290
- [ ] Server stats (uses `com.bspds.admin.getServerStats`)
291
···
239
- [x] SSRF protection for outbound requests.
240
241
## Lewis' fabulous mini-list of remaining TODOs
242
+
- [ ] The OAuth authorize POST endpoint has no rate limiting, allowing password brute-forcing. Fix this and audit all oauth and 2fa surface again.
243
- [ ] DID resolution caching (valkey).
244
- [ ] Record schema validation (generic validation framework).
245
- [ ] Fix any remaining TODOs in the code.
···
290
- [ ] Invite management (uses `com.atproto.admin.getInviteCodes`, `disableInviteCodes`)
291
- [ ] Server stats (uses `com.bspds.admin.getServerStats`)
292
293
+
## Future: private data
294
+
I will see where the discourse about encrypted/privileged private data is at the current moment, and make an implementation that matches what the bsky team will likely do in their pds whenever they get around to it.
295
+
Then when they come out with theirs, I can make adjustments to mine and be ready on day 1. Or 2.
296
+
297
+
We want records that only authorized parties can see and decrypt. This requires some sort of federation of keys and communication between PDSes?
298
+
Gotta figure all of this out as a first step.
299
+