eventual icon indicating copy to clipboard operation
eventual copied to clipboard
verified publisher icon sam-goodwin

Activity Token Security

Open thantos opened this issue 3 years ago • 2 comments

The activity token is currently base64 JSON object which contains the execution id and seq number of the activity.

This has a few issues:

  1. not secure - could be faked
  2. the base64 representation will grow with the execution id

Options:

  1. UUID generated for each activity and stored
  2. KMS encrypt the json payload before base64
  3. Encode the sequence number in a reversable way as to not be predictable

thantos avatar Dec 12 '22 21:12 thantos

Should we re-visit this prior to release? Is it hard to evolve out of?

sam-goodwin avatar Mar 16 '23 09:03 sam-goodwin

No, the tokens are versioned and opaque.

thantos avatar Mar 17 '23 15:03 thantos