da1nerd
commented
10 years ago Agreed. I had that written down somewhere, but not sure where.
My thoughts were to generate a new token for each release of the app and register+label each one of those with the server(s). We'll need to propagate these to all the servers.
Exchanging key as per issues https://github.com/Door43/tS-server/issues/1 and https://github.com/Door43/tS-server/issues/2 would allow the app to authenticate itself without revealing the token.
I think we need to build into the app an authorization key so that only apps can talk to the tS-server. Currently, anyone can talk to the tS-server, but it would be nice if only our tS app could do so.
I'm envisioning a shared hash that the app sends to the server and the server verifies the correct hash before allowing the client to submit their key.