OAuth-based authorization is an all-or-nothing approach that gives third-party Apps a constant access to user’s devices.
I want to implement an extra layer between ST API and third-party apps. After the App is granted permissions by the user (i.e., receiving OAuth token), this layer is responsible of enforcing extra constraints on what and when an App can access user devices, and allowing user to specify such restrictions that can be applied to all apps installed to his/her account.
However, ST is closed-source and I cannot implement such layer on ST platform itself. To overcome this, I want just to implement a poof-of-concept.
I want to develop the layer as a SmartApp that the user can install like any other app. This App needs to be trusted by the user and need be granted permissions to do its job (e.g., read details of all installed apps).
The other Apps installed for a given user account must route their API calls to the Access Control App. Upon receiving an API call, the AC App apply some AC rules and either reject the call or forward it to ST API. However, events dispatched from ST API to apps are not intercepted by the AC app.
The AC rules enforced by the AC app are specified by the user itself. For example, for all installed Apps, no App can access any device if Home Mode is Away.
So, how can I exactly implement the AC layer as a SmartApp (maybe in Node.js) and route API calls through it?
I know this will add some overhead to API calls, but I just want to give it a try and see how much it really costs.