search

TryQuiet / quiet

A private, p2p alternative to Slack and Discord built on Tor & IPFS
https://www.tryquiet.org
GNU General Public License v3.0
1.98k stars 86 forks source link

Each client should validate orbitdb data #89

Open holmesworcester opened 2 years ago

holmesworcester commented 2 years ago

We should do everything we can to validate messages (and other data like channels and users) at the orbitdb layer, or between the syncing layer and the state layer, on the receiving end.

https://github.com/orbitdb/orbit-db/blob/main/GUIDE.md#custom-access-controller

validate:

  1. signature
  2. sender
  3. message data, format, etc.
  4. message size limits
  5. add corresponding message size limits to the frontend
  6. channels
  7. users
  8. community name

We should discuss what makes sense here. The basic idea is that if someone is sending tons of invalid messages that will be ignored, we don't want to be storing them forever.

kingalg commented 1 year ago

A this moment (we are on production version 1.8.0) we are validating point 1 - signature. So points 2-5 are still to be done.