Restricting API use by Barcode PIN & blockInfo field in patron record

A while back I submitted an Idea to assign granularity to API role permissions.

Until that happens… how would libraries use API permissions to restrict access to the public computers by:

  • PIN/Barcode
  • BlockInfo field

We only want to assign the permission via the Patrons Validate role.
We don’t want to give our vendors access to Patrons Read role (that has too much personal information in it).

Should I submit a specific Idea for a new API permission based on the BlockInfo field?


Maybe the solution is to set up an intermediate server which filters out any sensitive field parameters in the GET query string, so that the URI reads something like**blockInfo**%2C**barcodes**

Authenticating with the PIN is beyond anything I have done in the Sierra API, so I can’t offer any suggestions there.

We use cloudflare for something like this on the Polaris side. It offers tons of flexibility in terms of pinpointing the exact strings you want to block that you can combine with source IPs, countries, and tons of other signals. I believe that can all be done with their free account. We use their pro plan which is $20 a month.

Implementing cloudflare is a significant task that takes some time to wrap your head around, but once you have it in place you quickly come to appreciate the flexibility and extra security it offers you.

1 Like

Oops - I see that the “emboldening” didn’t work as intended in a URI, so that should have read:

1 Like