HTTP-interface for radioactivity_add_energy
skiminki - July 7, 2008 - 16:03
| Project: | Radioactivity |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | normal |
| Assigned: | skiminki |
| Status: | closed |
Jump to:
Description
Suppose that we'd like to report radioactivity events from an external server (see #279456: Plugin: Support for arbitrary (external) targets). Probably the simplest way would be to make radioactivity_add_energy() invokable by HTTP requests, e.g. http://some-server/radioactivity/add_energy?id=object_id&class=object_class&source=some_source
However, we need some extra measures to make this secure, and I'm thinking of the following:
- We could limit the access at the web server (e.g. apache) or reverse proxy (e.g. squid) level. Probably that's enough for IP-based security.
- We could add signatures to the requests, like extra query parameter, e.g.
hash=md5($id . $class . $source . $private_key). That should keep the casual malevolent internet entity from tampering our data, in case the IP-based access restriction is impractical to implement
#1
#2
Fixed as a part of #279456
#3
Note that signature is calculated a bit differently than what's proposed in the description.
#4
Automatically closed -- issue fixed for two weeks with no activity.