Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate in adding a nonce to the resumption tokens #29

Open
poikilotherm opened this issue Jun 2, 2022 · 1 comment
Open

Investigate in adding a nonce to the resumption tokens #29

poikilotherm opened this issue Jun 2, 2022 · 1 comment
Labels
data-provider Related to Data Provider implementation enhancement New feature or request

Comments

@poikilotherm
Copy link
Member

poikilotherm commented Jun 2, 2022

  • Spec says resumption tokens must be idempotent.
  • By default, we simply encode the request parameters with Base64
  • This opens the possibility for crafting stupid requests, etc

Adding a nonce when the token is created means it can be used to identify cached entries coming from the same origin. An implementing repository could discard any requests with an unrecognized nonce.

Of course, the nonce would need a shared secret between the library and the repository - otherwise there won't be a common ground to identify valid new tokens crafted by the library and sent to the repository. As there already is RepositoryConfiguration, this is an easy thing to add.

The secret should be some random string by default, so it get's re-initialized on every application start by default to avoid at least very stupid replay attacks (expiring old tokens). An application using the library may choose to provide a static key, schedule rotation etc - that's up to their DevSecOps. Applications storing tokens in a database can use the recent secret to identify old entries.

@landreev
Copy link
Collaborator

landreev commented Jun 3, 2022

I agree that this may be something we want to consider adding. Though it may not be the highest priority thing to address.

At the very least, I don't think it's a big opening for abuse - the "opens the possibility for crafting stupid requests" part. The stupidest request somebody can make is to ask the configured Max. number of records at a random offset; but why would anyone want to do that to us, what's in it for them? As a DOS attack, just to annoy us/waste our CPU cycles, anyone can just run ListRecords on a set with more than Max. records repeatedly, getting the first page of records that does not require any resumption token. (?)

There is a different issue that this could address; that's not about abuse, but about ensuring that the set in question is "fresh" and hasn't changed since the token was issued. It can be solved potentially by being able to invalidate all the outstanding resumption tokens for a given set, if the set has been updated. Can be as simple as a randomly-generated string saved in the database for every set, that is used to generate tokens, that gets updated every time the contents of the set are modified... But I do believe that there is also a simpler solution, that would not require to maintain this token state. (but I need to confirm that).

@poikilotherm poikilotherm added enhancement New feature or request data-provider Related to Data Provider implementation labels Jun 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
data-provider Related to Data Provider implementation enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants