If you're using the Redis backend, you need to be able to protect the database from malicious clients. As of v0.1.0, DrMem has a config option to indicate the host and port of the Redis server. I configure Redis to only listen to the loopback address. This means DrMem has to be running on the same system and it relies on the system's security to limit who can log into the machine.
If you have several DrMem instances and want to share a Redis instance, then Redis will need a publicly accessible address. Redis can be configured to restrict database keys to certain clients. If we want this tighter control, we'll have to make the following changes to DrMem:
The config file will specify the address and port of the Redis server (as it does currently) but it can also specify if it's an encrypted connection. We'll have to determine whether we should support self-signed certificates.
Each driver instance should have optional name/password fields. That way each driver can be restricted to only update specific database keys. The name/password is unused for the simple backend.
GraphQL Security
Currently we're using an unencrypted, open http connection to control DrMem. I envision mobile and web apps interfacing with DrMem. But we want to keep things simple since the only clients to my control system will be my phone and maybe tablet. For this tiny use-case, I think the following can be used:
A self-signed certificate can be generated for each DrMem instance. The DrMem config file will specify the location of the certificate. From this certificate, you can obtain the digital "fingerprint".
When writing a mobile app, you can compile into the source, or provide an entry field, to import the fingerprint. This way the app can connect to DrMem and verify the certificate without the Internet being required.
For your application, you generate a client-side certificate and build it into your mobile app (this is assuming you're not putting your app on a store for others to download.)
In your DrMem config, a field clients takes an array of digital fingerprints. These are the accepted clients that can connect.
Redis Security
If you're using the Redis backend, you need to be able to protect the database from malicious clients. As of v0.1.0, DrMem has a config option to indicate the host and port of the Redis server. I configure Redis to only listen to the loopback address. This means DrMem has to be running on the same system and it relies on the system's security to limit who can log into the machine.
If you have several DrMem instances and want to share a Redis instance, then Redis will need a publicly accessible address. Redis can be configured to restrict database keys to certain clients. If we want this tighter control, we'll have to make the following changes to DrMem:
GraphQL Security
Currently we're using an unencrypted, open
http
connection to control DrMem. I envision mobile and web apps interfacing with DrMem. But we want to keep things simple since the only clients to my control system will be my phone and maybe tablet. For this tiny use-case, I think the following can be used:clients
takes an array of digital fingerprints. These are the accepted clients that can connect.