feat: add ethereum signature based auth api for vpc allow list management#27
feat: add ethereum signature based auth api for vpc allow list management#27
Conversation
| ### Admin Endpoints | ||
|
|
||
| - `GET /admin/nonce` - Obtain a new nonce for signing requests | ||
| - `POST /admin/allowlist` - Add an app to the allowlist (Body: `{"app_id":"..."}`) |
There was a problem hiding this comment.
This endpoint looks like it would overwrite the entire list. It would be better to use a more descriptive path, such as POST /admin/allowlist/add, and perhaps support batch updates.
| return fmt.Sprintf("https://%s-8080.%s", appID, gatewayDomain) | ||
| } | ||
|
|
||
| func parseAllowedApps(allowedApps string) []string { |
There was a problem hiding this comment.
As the new implementation is not fully decentralized so far, it might be better to keep the previous implementation as an choice for web3 purists.
| } | ||
|
|
||
| func (s *AppState) storeNonce(nonce string) error { | ||
| return s.nonceDB.Update(func(txn *badger.Txn) error { |
There was a problem hiding this comment.
Allowing anonymous users to insert unlimited data poses a risk of storage DoS. A stateless server-side JWT might be sufficient here.
I'm not entirely sure what specific attack the nonce is intended to prevent. A simpler approach might be using a client-side token. The flow would be: the client uses their wallet to sign a token containing 'allowed operations' and an 'expiration time' before sending the request. We can set a short expiration time to ensure security.
2 participants
No description provided.