We've had a number of discussions already in the past several years where we've pointed out the inherent limitations in the design and implementation of the Self-Service component. I don't want to offend anyone, but this has to change. We have discussed it previously and already there is a roadmap item whereby the Self-Service component would become more external and optional to the core. This will strengthen the overall security because one can more easily pass static and dynamic security audits that currently evaluate the Self-Service API "unfavorably". While I know that the Self Service APIs are a favorite because of the features that they enable, and it is tempting to try to extend them, we really shouldn't, not until we have a new path laid out.
If you have some ideas on how to have a good design and move this into a robust security model as well, please raise them here in generic terms. This will overlap I think with the discussion on auth server and resource server. Please note that all security issues should be formally raised on secur...@fineract.apache.org or secur...@apache.org and to keep in mind that this is a public email list. On Sun, May 21, 2023 at 12:40 AM Ippez Robert <ippezrob...@gmail.com> wrote: > > Dear Fineracters, > > Thanks for taking some time to have discussions around this. From the > discussion so far, presumably USSD for clients has been implemented so far by > one of the partners (Zayyad A. Said). It will be great to extend this for > this cause and at the end of the day contribute it back to the community. > (Zayyad A. Said we can discuss about this, but it will may need major APIs > implementations on the main Fineract codebase like Self Service APIs for > clients). > > If I remember correctly, when the self service APIs were being discussed for > implementation, there were considerations for Agency Banking as part of this > implementation. But it seems the implementation stage didn't cater for this. > > From the archives, I see this > https://github.com/openMF/mobileapps.github.io/blob/master/index.md#third-partyagent-banking-external-staff > , so am wondering if the APIs already exist in Fineract codebase so that we > can benchmark on it. > > Thanks and regards > Ippez Robert > >
