Closed tobihagemann closed 1 year ago
For documentation: We talked about the custom header and if it can be faked. An idea is to sign the header with the vault key or the vault owner, in order to ensure that this is not possible.
Update on faking the custom header: It's impossible to sign the subscription state at the moment because this information is only known to the backend. We would need to introduce a new key pair for Hub and this is out of scope for this PR. However, we make sure that the mobile clients have to explictily check for the ACTIVE
and INACTIVE
values. When we introduce a signed subscription state at some point and use a different value, old mobile clients should treat it as INACTIVE
.
The following changes have been done to add compatibility for Cryptomator's mobile apps:
type
to the Device entity and made sure thatDESKTOP
is default.But as you can see, there is still this temporary code:
I'm not sure what to name this header and what it should represent yet. E.g., if it's set to
READ_ONLY
but the user has bought the full version of the app, they should still have read/write access. That could be confusing. A different approach would be to have a header namedHub-License-Edition
withCOMMUNITY
andSTANDARD
or something like that.Furthermore, I've copied other useful changes from the
feature/refactored-access-grant
branch:BROWSER
device type already, even though it's not used yet.