Discussion about the privacy of the bot.

[Abhishek12345679]

Since we share the id and password of our amizone account. Are these details logged? Could there be a better way to do authentication ?

[ditsuke]

Thanks for starting a discussion.

Are these details logged?

No. However they're stored in our database, unencrypted at rest.

Could there be a better way?

Yes. One possible solution is go-amizone provisioning tokens/JWTs that consumers of the API can use. However I'm currently lacking on time to work on it myself, open for help!

[ADV1K]

Even if we use tokens for authentication we would still need to store the login details in plaintext (or we can't login into amizone)

The only practical solution would be to self host.

[ditsuke]

The token approach would work as follows:

1. Go-amizone gets Amizone credentials in plain-text, it processes these into an encrypted token and returns to the client.
2. Clients can then store these tokens at rest. They're encrypted, i.e., only go-amizone can decrypt them and check for validity.

Not a perfect approach, but using this we no longer store anything in plain-text at rest. Also users can bypass clients and get these tokens directly from go-amizone, meaning we no longer have to trust these clients are not retaining plain-text information. This model can be augmented with access-controls that restrict what a token is allowed to do.