Add comment with warning about encryption key

ooni · Jan 22, 2025 · cc0342d · cc0342d
1 parent dcf48d5
commit cc0342d
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/ooniapi/services/ooniprobe/src/ooniprobe/routers/v1/probe_services.py b/ooniapi/services/ooniprobe/src/ooniprobe/routers/v1/probe_services.py
@@ -104,8 +104,19 @@ def probe_register_post(
 
     Note that most of the request body arguments are not actually
     used but are kept here to use the same API as the old version
+    
     """
 
+    # **IMPORTANT** You have to compute this token using a different key
+    # to the one used in ooniauth service, because you could allow
+    # a login bypass attack. 
+    #
+    # Note that this token is generated regardless of any authentication, 
+    # so if you use the same jwt_encryption_key for ooniauth, you give users
+    # an auth token for free
+    #
+    # We set this up in the terraform level
+
     # client_id is a JWT token with "issued at" claim and
     # "audience" claim. The "issued at" claim is rounded up.
     issued_at = int(time.time())