search

bosnet / sebak

SEBAK, the next BOScoin Blockchain
https://devteam.blockchainos.org
GNU General Public License v3.0
44 stars 15 forks source link

Restricting access to ‘/node/‘ API only from known validators? #416

Open spikeekips opened 6 years ago

spikeekips commented 6 years ago

This will be controversial :)

The APIs under ‘/node’ is used only for registered validators, so how about restricting access only from them?

If restricted, we can get some benefits from it such as, most of APIs under ‘/node’ use heavily resources, especially storage, so we can prevent abnormal requests from anonymous clients.

We can simply check whether requests is from known validators or not. It’s not to use remote address of request :) 

X-SEBAK-VALIDATOR: <public address>
X-SEBAK-SIGNATURE: <signature of (‘Date’ header + receiving node's public address)>

‘Date’ header will be updated in every request and if we can limit the time difference, we also can prevent reusing X-SEBAK-SIGNATURE.

Geod24 commented 6 years ago

My only comment so far is that the signature should be a hash of the date + the receiving node's public key, otherwise there's an obvious vector for replay attacks.