In #2632 API signature validation was added to the backend service. This same approach was used for the auth service in #2709, but it was mentioned in the linked comment that it was vulnerable to replay attacks. That was addressed in the PR for the auth service but it needs to also be patched in the backend service as well.
See https://github.com/interledger/rafiki/pull/2709#discussion_r1596469843
In #2632 API signature validation was added to the
backend
service. This same approach was used for theauth
service in #2709, but it was mentioned in the linked comment that it was vulnerable to replay attacks. That was addressed in the PR for theauth
service but it needs to also be patched in thebackend
service as well.