search

amark / gun

An open source cybersecurity protocol for syncing decentralized graph data.
https://gun.eco/docs
Other
18.03k stars 1.16k forks source link

Can literally anyone just put anything to any server? #1238

Open igormuba opened 2 years ago

igormuba commented 2 years ago

I have reading issues about how to "moderate" server interactions to validate that user actions are valid, but all I can find is people preaching about descentralization, which is fair and what I want too. The problem is, I could not find documentation about how to add a middleware to my server. All my server can do is listen and allow anyone to add anything to my node, regardless as if it is the intended usage or not (as far as I could understand) which opens a LOT of room for abuse.

Suppose you want to create an specific application, what is there to prevent other people from using your server/node to store their own unrelated data? From all the examples I have read I don't even need my own server, I can use any peer that showed their server/port to store stuff for my own applications. The client side seems to have all the power to validate data, authentication and transactions, which is fair, but it makes it useless to run a server since all you need is some IP/port to use as if it is your own. Shoudn't the server have the same functionalities?

For example, only allow a set of nodes/graphs to be used and only allow authenticated users? Or, for example, parse the input and only allow text and no special characters?...

Isn't there any way to add validation, before storing or transmiting data from/to the server side?...

zilveer commented 2 years ago

@igormuba yes that is correct, but there is graph and path validation on the super node which you can run, so this restricts the users from putting anything on the server.

igormuba commented 2 years ago

@zilveer can you, please, point an example of that? I tried to understand how would that work, to prevent abuse and unrelated content, but couldn't find content about graph/path and super node, mostly all examples focus on a general server that allows anything, and leave the logic for the front end

zilveer commented 2 years ago

@igormuba I agree about the docs, but I think @amark has too much to do to update the docs. But everyone is welcome to edit the docs.

Here is an example of restricting path writes with authentication as well.

https://github.com/zrrrzzt/gun-restrict-examples/tree/master

Hope it helps.

sbrow commented 1 year ago

there is graph and path validation on the super node which you can run, so this restricts the users from putting anything on the server.

@zilveer Would you mind explaining / linking to how to implement this? I've been trying to work out how to use public space in gun, and as far as I can tell its impossible.*

* By that I mean, since there is no way to validate data before it gets pulled in (IIRC), there's nothing stopping someone from creating a node that just listens to every key it can find and calling

gun.get('<keyname>').on(() => {
  gun.get('<keyname>').put(null);
})

I understand that we want "everyone" to be able to edit public objects, but I feel like application developers should at least have the option to verify that the latest graph data makes sense before committing it to their local store.