Suppose that we'd like to report radioactivity events from an external server (see #279456: Plugin: Support for arbitrary (external) targets). Probably the simplest way would be to make radioactivity_add_energy() invokable by HTTP requests, e.g. http://some-server/radioactivity/add_energy?id=object_id&class=object_class&source=some_source

However, we need some extra measures to make this secure, and I'm thinking of the following:

  • We could limit the access at the web server (e.g. apache) or reverse proxy (e.g. squid) level. Probably that's enough for IP-based security.
  • We could add signatures to the requests, like extra query parameter, e.g. hash=md5($id . $class . $source . $private_key). That should keep the casual malevolent internet entity from tampering our data, in case the IP-based access restriction is impractical to implement

Comments

skiminki’s picture

Assigned: Unassigned » skiminki
skiminki’s picture

Status: Active » Fixed

Fixed as a part of #279456

skiminki’s picture

Note that signature is calculated a bit differently than what's proposed in the description.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.