yorkie icon indicating copy to clipboard operation
yorkie copied to clipboard

Published 20 hours ago verified publisher icon yorkie-team

Validate Checkpoint in ChangePack for PushPull API requests

Open hackerwins opened this issue 4 months ago • 0 comments

Description:

When the Client calls the PushPull API and sends the request ChangePack, Checkpoint in the request may be tampered with due to various reasons such as network delays causing duplicate requests, new SDK bugs, or intentional tampering by malicious clients.

Therefore, it is beneficial for the stability and security of the system to validate Checkpoint.

Consider the following validation checks:

  • Changes in the request ChangePack passed to PushPull API are created by a single Client, so Change.ID.Checkpoint.ClientSeq should increment sequentially by one.
  • Checkpoint.ServerSeq in the request ChangePack for PushPull API cannot be greater than the server's Checkpoint.ServerSeq since it is set when the server saves the Change to the database.

If the Checkpoint is invalid, consider the following exception handling:

  • If duplicate requests caused by network delays treat them as OK
  • For other reasons, return INVALID_ARGUMENT

Why:

This validation will help ensure the integrity and security of the system.

hackerwins avatar Mar 04 '24 04:03 hackerwins