mauve, 9 months ago

Fun fact, looks like our admin registration is going to use the same http auth mechanisms.

Here's how it looks:

• Keep list of admins in webmention format in the DB
• Admins talk to the API using signed HTTP requests
• API verifies requests by verifying the signatures

Cool side effects? No need for storing a password or issuing tokens or actual admin account data. We can also use wildcards in the list like @*@hypha.coop to allow any account from a given domain to have access.

thisismissem, 9 months ago

@mauve I'm pretty sure that host may be spoofable..

mauve, 9 months ago

@thisismissem could you elaborate more on the exploit you have in mind?

the flow for verifying looks like this:

• somebody creates an http request to our server and signs it with an actor URL pointing to their key
• our server fetches the actor URL and takes the public key out from the object
• the server then verifies the signature but the public key and verifies the digest of the request as well as the date to prevent replay attacks
• server resolves actor object to a web mention username

thisismissem, 9 months ago

@mauve hmm, maybe that's fine then!

mauve, 9 months ago

@thisismissem I think there is risk in folks adding fake actors if they can add arbitrary files to a site, but I'm hoping that querying the webfinger endpoint to verify would help there.

Spoofing https certs and DNS might be a risk though? 🤷

thisismissem, 9 months ago

@mauve yeah, just make sure that after resolving all the documents that the URIs and hosts all match up

thisismissem, 9 months ago

@mauve that is to say I'm doubtful that DNS and HTTPS would be particularly weak points, especially given signing and pinning of public keys (there is a process for announcements of key rotation too)