search

bitpay / node-bitpay-client

A Node.js module and command line client for interacting with BitPay's Cryptographically Secure API
102 stars 95 forks source link

The 'nonce' parameter is fundamentally broken #51

Closed pesho closed 9 years ago

pesho commented 9 years ago

The nonce parameter is required to increase monotonically. This may work well in single-process apps, but is a broken approach in modern distributed apps.

E.g. node-bitpay-client uses the current time to seed the nonce. This causes failed API requests when several processes are started.

martindale commented 9 years ago

This may be relevant to bitpay/bitauth#13, though I wonder if nonce should be a part of BitAuth, or should remain in the BitPay API.

martindale commented 9 years ago

Continuing from the Reddit discussion:

Generating separate keypairs for each process is not a good solution. It's a manual operation, requiring a live person with access to the BitPay account to grant access for each process separately. We live in the PaaS era, when firing new processes is supposed to be a cheap and quick, even automatic operation.

This should be possible today; once the very first identity is created (and a corresponding token, containing the capability to authorize additional tokens), subsequent identity claims can be approved through the API by using this token. This is definitely a use case that has been on our mind that we aim to improve based on real-world use.

braydonf commented 9 years ago

With the addition of API sessions, this issue should be good to close.

pesho commented 9 years ago

It seems so. I'm closing the issue. Thanks to all involved in fixing it.