[poststation] Access Control Ideas?

[jamesmunns]

Right now poststation allows connections locally, and all connections have "full permissions" to all devices and capabilities.

Before we open up connections outside of the local device, we need at minimum some kind of auth token to prevent unauthorized users making connections.

We also may want to consider "scoping" these permissions, e.g. allowing read only access (list devices, subscribe to topics, see history), but not write access (endpoint requests, publishes, deleting history); or only allow access to a subset of devices.

At the moment, I plan to put this info in a config file, we might also want API access to create or revoke tokens.

[jamesmunns]

I'm currently looking at https://github.com/biscuit-auth/biscuit-rust as an option for this.