getHandshakePin problem

[bedilbek]

As I understood from the flow of the system, the pin that is generated from getHandshakePin function is also used in getUploadToken to validate whether user has a right to upload his history data.

I am curious about this flow. If it's the case that the same pin taken from then getHandshakePin process used as a token via getUploadToken, is't it a bad approach to save that pin in local storage of the device. And why backend should send that pin to the user at getHandshakePin process?

Or if we look from different prespective, let's say we do not use the same pin generated from getHandshakePin to store it as an UploadToken using storeUploadCodes function, so that we will use different tokens generated by Health Authorities instead of those pins. Then, why we need that pin from getHandshakePin?

I understand that maybe I am not understanding the flow fully, so I ask for an advice to shed the light in this situation.

Thanks!

[qtangs]

The 2 functions actually serve distinct purposes:

• getHandshakePin is used to generate a user-specific pin so that users can verify any caller or sms sent to them, asking them to upload data. This protects users from spam calls/messages.
• getUploadToken is used to generate a global upload code that any user can use to prove that the user has the right to upload data. This protects the server from spam uploads.

[bedilbek]

@qtangs Thank you, now I understand the process fully