Just nu litar vi på alla anrop till updates-endpointen, så länge dem har ett giltigt ID. Detta är inte optimalt.
Skrev lite om det i koden:
// 0. In production, only accept device updates from the Yggio API URL set in .env - No spoofers!
//TODO: Implement - currently there seems to be no way to add a "secret" to Yggio subscriptions, since they only send iotnode, diff, event
// Using req.hostname or similar is also a challenge if we are deployed behind many proxies, such as on Heroku
// Perhaps a solution involving the route for this API call, it is currently /api/updates/:deviceId, but maybe if it was /updates/:deviceId/:secret
// that would require some reworking of this controller however
Verkar svårlöst innan handover, men kanske något Sensative vill ta tag i?
Tidsuppskattning: ?? timmar
Just nu litar vi på alla anrop till updates-endpointen, så länge dem har ett giltigt ID. Detta är inte optimalt.
Skrev lite om det i koden:
Verkar svårlöst innan handover, men kanske något Sensative vill ta tag i?