[bisq-network/bisq] Minimal api (#3001)
notifications at github.com
Wed Aug 28 21:09:06 UTC 2019
Sorry to bring another issue to the mix and be pain in the ass again :(
The authorization based on a fixed token is not secure against replay attacks, regardless of the underlying transfer protocol. Unfortunately, security against replay attacks requires signing individual requests, which is more complex.
My proposal is to remove authentication and authorization altogether.
This way we make it clear that API service is only supposed to be used locally. Which is perfectly fine for the initial version!
Also, that would significantly reduce the diff to review, as large part seems to be authentication and authorization related.
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bisq-github