We're implementing the password recovery flow with a custom page on our website to change the password. We're using the Admin API ResetPassword to do this.
We're taking measures to secure the secret key on our website without it being visible in the browser client, but to be extra safe we would like to limit possible calls to other Admin methods we're not currently using.
We've been able to update the Client API policy using the Admin API UpdatePolicy. But so far we've had no luck restricting calls to the Admin API, testing with the ResetPassword method.
My current understanding is that the following policy should allow all Client/Server methods and restrict every Admin API method but GetPolicy and UpdatePolicy (in order to not lock us out of changing that policy down the road). Is the policy wrong, or is it just impossible to deny admin methods?
[ { "Resource": "pfrn:api--/Client/*", "Action": "*", "Effect": "Allow", "Principal": "*", "Comment": "The default allow all statement." }, { "Resource": "pfrn:api--/Server/*", "Action": "*", "Effect": "Allow", "Principal": "*", "Comment": "The default allow all statement." }, { "Resource": "pfrn:api--/Admin/UpdatePolicy", "Action": "*", "Effect": "Allow", "Principal": "*", "Comment": "Preserve our ability to call UpdatePolicy" }, { "Resource": "pfrn:api--/Admin/GetPolicy", "Action": "*", "Effect": "Allow", "Principal": "*", "Comment": "Preserve our ability to call GetPolicy" } ]