search

pion / turn

Pion TURN, an API for building TURN clients and servers
MIT License
1.83k stars 312 forks source link

Detect stale nonces #168

Open Sean-Der opened 3 years ago

Sean-Der commented 3 years ago

Update buildNonce and authenticateRequest to generate and check the times on those.

jech commented 3 years ago

That's debatable.

RFC 8489 merely says "See Section 5.4 of [RFC7616] for guidelines.", while RFC 7616 says

   the server is
   free to construct the nonce such that it MAY only be used from a
   particular client, for a particular resource, for a limited period of
   time or number of uses, or any other restrictions.  Doing so
   strengthens the protection provided against, for example, replay
   attacks (see Section 5.5).  However, it should be noted that the
   method chosen for generating and checking the nonce also has
   performance and resource implications.