Validate `updatedAt` on saves and deletes

stacks-archive / radiks-server

A server for indexing data in decentralized applications

MIT License

54 stars 19 forks source link

Validate `updatedAt` on saves and deletes #30

Open hstove opened 4 years ago

hstove commented 4 years ago

Fixes #29

Radiks-server was not properly validating the updatedAt attribute for model updates and deletes. This could potentially lead to signature jacking. Radiks-server now validated that the updatedAt field is greater than previous updatedAts. This acts similarly to an nonce in blockchains.

zone117x commented 4 years ago

@hstove I read through the diff -- the code looks good and it appears to fix the issue. However, I have little understanding of the general codebase, and definitely don't have the a grasp on the functional end-to-end workings of Radiks needed to really understand the security model.

Is there anything in particular you want reviewed or tested? Otherwise, if you feel confident in the fixes, then I think we should go ahead and merge & release.