Open ctnadovich opened 5 months ago
Regarding security/auth, it seems that nothing authenticates future_events. A malicious user of eBrevet could direct their app to their own altered copy of future_events, with altered parameters, and yet still post checkins to the real region server. The checkins themselves are authenticated, but a malicious future_events copy could alter control locations. If proximity radius could also be set, then all sorts of shenanigans could ensue.
This issue should be put on hold till an auth signature is added to future_events and the app verifies this signature.
future_events now has an auth signature. No support in eBrevet yet.
It would be useful if options for eBrevet could be selected on a per-event/region/control basis. For example, the proximity_radius could be set this way, as well as other "developer" options like the one that ignores control open/close times. Security/authentication issue?