mediator icon indicating copy to clipboard operation
mediator copied to clipboard
verified publisher icon lawndoc

Create actual authentication between the clients and server

Open lawndoc opened this issue 4 years ago • 3 comments

Currently, the server knows a connection is from a permitted client based on a port-specific "knock" phrase sent upon connection. Adding an actual authentication method to ensure only permitted clients can connect would be more secure.

lawndoc avatar Jan 08 '21 16:01 lawndoc

As of a5d3b471fbf4f76941345fe5b9d0c8024eda139e clients submit an arbitrary connection key and are queued until they time out or can be bridged with their counterpart client that has a matching connection key. As of now, this process is unencrypted. Going to leave this issue open in order to encrypt the connection keys being sent.

lawndoc avatar Jan 12 '21 03:01 lawndoc

As of 5ae24b359f14384e6730b8e91533fea1e433cfc7 the connection key must start with the prefix "#!ConnectionKey_" without the quotes. This drops all client connections that don't contain a valid prefix in the connection key message. This process is currently still unencrypted.

lawndoc avatar Feb 01 '21 20:02 lawndoc

Certificate-based authentication is probably a better way to go here...

lawndoc avatar Mar 31 '22 18:03 lawndoc