Closed mle-moni closed 2 months ago
but when I glanced at the source code, I saw no such system implemented
Oh my, you're absolutely right. It looks like I only partially implemented it. The auth flow happens during the hello
(handshake) API call, but it isn't passed down to the second submit
API call. What an oversight! Yikes.
I'll fix this right away. Thank you so much for noticing.
Okay, this is all fixed in Performa v1.1.4 and Performa Satellite v1.1.4. You will have to upgrade both to the latest version.
The authentication mechanism now uses a time-based auth token, generated using the secret key, and validated in both the submit
and snapshot
APIs. Your server clocks all need to be within +/- 1 minute of each other for this to work.
Thanks again!
Thank you so much for your reactivity !
First, I would like to thank you for this really good software!
Now, to get to the point, I have a question about security
The docs says
When i read that, I tought that when a satellite sends data to the main performa server, it does it by authenticating himself with the secret key, but when I glanced at the source code, I saw no such system implemented, so I wonder if an attacker could spam my main performa server with huge amounts of fake satellite server data?
If I want to prevent this, do you have any advice on how to implement it?