martinberlin
commented
4 years ago Is live and seems to be working solid. Bearer token is flying on the headers -> ESP32 -> Screenshot microservice Which is also sending it to the CALE html request. So this is done, now what is missing to be addressed is the TLS encryption in the Firmware side
This Issue should be a must before launch. And it's not overly complicated to do. Simply add a bearerToken string / protected boolean in the Screen entity. If it's marked as a protected screen then a bearerToken will be generated. If it's marked as protected false (public) then this text will be shown: Anyone with this link will be able to access your Screen
Additionally if it's protected with a bearerToken Clients must request our application using HTTPS. (Should this be enforced?) If yes there should be an HTTPS version of the Firmware and does is not the case yet.
To access this Bearer token should be sent on the request headers, otherwise a "Not authorized" will be rendered.
Curl Example IMPORTANT Note here. This is the Authorization header required for CALE to render the HTML. But as ESP32 send his request to the screenshot tool to get the image it could send this bearer in the POST body of the SSL request. That will make things easier, then the screenshot will make the Authorization: Bearer using PHP to CALE
$ curl https://cale.fasani.de/fasani/render/5e4c276470e42 \ -H "Authorization: Bearer $BEARER_TOKEN"
It could be enough for now to pregenerate this token using PHP hash("sha256", $username.$screen_id, false);
This will generate automatically for the mentioned Screen: d96829209af2764ae17a437c5c59230d7352e1fed2b036ae193ab9b2d9796387
So this bearer token and a isPublic Boolean should be added at Screen level.
NOTE: Important here to research what type of Authentication the screenshoot tool can send Pointers: