Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Authentication Improvements #30

Closed
3 of 4 tasks
DaneEveritt opened this issue Jan 16, 2016 · 1 comment
Closed
3 of 4 tasks

API Authentication Improvements #30

DaneEveritt opened this issue Jan 16, 2016 · 1 comment
Labels
bug Something that's not working as it's intended to be. core change A feature request or enhancement that changes an existing feature or behaviour significantly.

Comments

@DaneEveritt
Copy link
Member

Discussion is welcome here.

  • Firstly, the IP checking within the API needs to be modified a bit to allow for CIDR notation so we don't necessarily have to store a huge quantity of IPs in the database.
  • Secondly, the secret token for the API, consider ideas for how to securely store this in the database. We could encrypt it, which would protect it in the event that the database is compromised, but not in the event that the database and code are compromised since they would then get access to the encryption token. We could also just store it as plaintext.
  • Important: the current method of signing the request before sending it is missing the request type (i.e. POST, GET) which could allow for a reply-attack to target a different method (i.e. intercept GET and then change the method to POST).
  • Additionally, consider adding a timestamp which could prevent a reply-attack if the time is not within x minutes of the server time. This opens up issues with systems that have vastly different times (i.e. differ by hours or days). This can also just be mitigated by using HTTPs.
@DaneEveritt DaneEveritt added bug Something that's not working as it's intended to be. core change A feature request or enhancement that changes an existing feature or behaviour significantly. labels Jan 16, 2016
@DaneEveritt
Copy link
Member Author

Encryption of secret keys was added in 317698a

CIDR was added in c701aa0

@DaneEveritt DaneEveritt reopened this Jan 17, 2016
@bartembregts1 bartembregts1 mentioned this issue Jan 2, 2017
Closed
@gibbonsjohnm gibbonsjohnm mentioned this issue May 25, 2017
Closed
@Altegras Altegras mentioned this issue Jul 24, 2017
Closed
@DaneEveritt DaneEveritt mentioned this issue Oct 7, 2017
Closed
@raoshemi raoshemi mentioned this issue Mar 27, 2018
Closed
@cokll cokll mentioned this issue May 27, 2018
Closed
@Jelcoo Jelcoo mentioned this issue Sep 16, 2020
Closed
@dfcgaming dfcgaming mentioned this issue Oct 26, 2020
Closed
@mistermodcreator mistermodcreator mentioned this issue Nov 17, 2020
Closed
@VibeGAMESNL VibeGAMESNL mentioned this issue Jan 1, 2021
Closed
@nackerr nackerr mentioned this issue Feb 4, 2021
Closed
@elmorti elmorti mentioned this issue May 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something that's not working as it's intended to be. core change A feature request or enhancement that changes an existing feature or behaviour significantly.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DaneEveritt