[In-House API] Device Authentication

[noahnu]

Need a protocol for device/tablet to server communication to ensure:

Requirements

[? = Uncertain / Optional]

• Only authorized devices can make requests.
• ? Initial device authorization requires manual entry of simple one time use code.
  • Code can be separated from specific tablets. Can be part of pool.
• Authorization can be revoked on the server by specifying a tablet.
• Expiry date can be set for credentials, at which point handshake must be repeated.
  • ? Expiry date sits on server, and server can extend expiry date at any time (i.e. auto disable when payment plan expires).
• Secondary expiry date for renewing handshake w/o user input (standard token expiry).

Under assumptions:

• Connection is over HTTPS, thus all data is in transfer is encrypted.
• MITM is impossible due to HTTPS and valid cert check.

Proposed Implementation

Using HTTP Bearer Authorization. Not full OAuth.

• If device has access_token, use it.
• If no token, or invalid token (not the same as expired), "register" using UUID.
• If token is expired, "renew" using access_token and UUID.

Register API

• Requires: UUID + request_token (obtained from user-input)
• INSERT row (w/ ignore on duplicate): (uuid, access_token, token_expiry)
  • access_token is UNIQUE and randomly generated.
• Return (access_token, token expiry)

Renew API

• Requires: UUID + access_token
• If store is not expired, issue new access_token + expiry (update row) and return it to client.
• If store is expired, remove access token from row and tell client about expiry.
  • Client will delete local access_token, and re-initiate request process (prompting user for input).

Request Token Generation

• User goes to "Setup New Tablet" and clicks "Add Tablet". Request token is generated for the Store (short token which can be entered by user). Expiry is used to keep token short while retaining brute-force difficulty despite low entropy.
  • Schema: (storeId, _request_token_, expiry) UNIQUE (_request token)

---

Related to #99

[noahnu]

Update: Just need to add the "handshake" to the client and a way to generate request tokens.

New Schema:

CREATE TABLE `device_request_tokens` (
    `StoreID` INT(11) NOT NULL,
    `RequestToken` VARCHAR(128) PRIMARY KEY,
    `ExpiryDate` INT(11) NOT NULL,
    FOREIGN KEY (`storeID`) REFERENCES stores(`id`)
        ON UPDATE CASCADE
        ON DELETE CASCADE
) ENGINE=InnoDB;

CREATE TABLE `device_authorization` (
    `AccessToken` VARCHAR(128) PRIMARY KEY,
    `DeviceUUID` VARCHAR(128) UNIQUE KEY,
    `ExpiryDate` INT(11) NOT NULL
) ENGINE=InnoDB;

ALTER TABLE `tablets` ADD UNIQUE (`SerialCode`);

[noahnu]

Schema changes made to production.