chainlink-common icon indicating copy to clipboard operation
chainlink-common copied to clipboard
verified publisher icon smartcontractkit

INFOPLAT-1562 dynamic expiring auth headers

Open hendoxc opened this issue 1 year ago • 0 comments

INFOPLAT-1560

What

Allows usage of dynamic auth headers by implementing grpc.PerRPCCredentials & setting as a DialOption on the otel client

Why

Makes tokens expire, in the case that one is leaked or intercepted.

  • someone can indeed steal a token, update the timestamp portion of the token, then try send data to the gateway endpoint, however since pubkey bytes + timestamp bytes are what's being signed, the signature part of the token is invalid, and will be rejected by the gateway
  • on the gateway, version 2 tokens have their timestamp part checked time.Now > timestamp > time.Now - serverTTL

Notes

Current users of the client can still configure static headers using the AuthHeaders field of beholder client Config. To enable dynamic headers they instead should configure AuthHeaderProvider

hendoxc avatar Dec 13 '24 21:12 hendoxc