Comments (7)
@cbrake After some preliminary research on JWT and getting familiar with the codebase, I'd like some clarification of the requirements.
It seems to be to create a notion of device identity with which we could, for instance, perform authorization (but authorization is out of scope). The JWT carries this identity, and will accompany every HTTP request against the backend. The server will associate JWTs with devices (presumably via bolthold?), and so any incoming HTTP request lacking a valid JWT header will be rejected.
This rejection could happen regardless of the request, so at the rootmost levels of the HTTP handler tree. Or, if we want something more like authorization, it could be happening at lower levels, with more complex logic.
I would assume that authorization is eventually needed to prevent a known device from modifying parts of the DB it should not be touching.
Does this sound right?
from simpleiot.
Things we want to prevent:
- random people/bots spamming the system and filling database with crud
- fake data coming in for an existing device
I think when a device is provisioned, we store something on the server and device that has to match or authenticate for subsequent transactions to succeed.
This all gets pretty complex, so we probably want to start as simple as possible to accomplish the above goal.
I'm not sure what levels it should happen yet ...
from simpleiot.
It sounds like you are describing API keys, so I looked into that. I found this article somewhat informative, although it feels like it's trying to sell me something:
https://nordicapis.com/why-api-keys-are-not-enough/
The main points:
- API keys provide identification,
- but not proof of authenticity, and
- are difficult to use with fine-grained access control.
Given that we assume SSL, that at least prevents the keys from being sniffed in transit.
from simpleiot.
above article about API keys is interesting. I think the main production use cases for device->cloud communication (at least with cellular) will be CoAP, so I would be inclined to do something like a simple API key for the HTTP REST device API to provide some protection, yet keep them for demo and simple use cases (pushing data from scripts, etc). After learning a bit more about JWT during the user auth exercise, I think an API key is probably sufficient to get to a MVP -- can always expand later as needed.
from simpleiot.
interesting article about server side vs client side device authentication: https://www.verypossible.com/what-engineering-leaders-need-to-know-about-iot-security
from simpleiot.
authToken is implemented for NATS (feature-nats). Still should probably add authtoken support for HTTP.
from simpleiot.
authToken support implemented for HTTP -- closing for now, we can improve more later.
from simpleiot.
Related Issues (20)
- Store File node contents in point data field
- File node -- specify valid file types
- CAN client: add disable checkbox
- Clean up client examples HOT 1
- change Start() to Run() HOT 1
- persist user login HOT 2
- Expose API for store dump / import HOT 6
- Nats.go wasm now works - finally
- Database replication
- UI: highlight options if nothing is selected
- clients with child nodes do not always initialize properly HOT 1
- OSVersionField should have default value HOT 2
- Fix Windows Build issues
- Port forwarding client
- Switch to a different default web server port HOT 3
- Deploy SIOT to all servers/machines I maintain HOT 1
- Declarative config HOT 4
- CAN BUS CRASH HOT 1
- Convert particle code to client
- Add README for simpleiot-js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simpleiot.