Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth for HPT endpoints #465

Open
shawaj opened this issue Jan 20, 2023 · 2 comments
Open

Auth for HPT endpoints #465

shawaj opened this issue Jan 20, 2023 · 2 comments

Comments

@shawaj
Copy link
Member

shawaj commented Jan 20, 2023

Related to #464

/initFile.txt and /version endpoints should have a way to bypass them via some kind of auth.

Maybe via the gpg key we already use in manufacturing for the shutdown endpoint?

Ref https://github.com/NebraLtd/Hotspot-Production-Tool

@shawaj
Copy link
Member Author

shawaj commented Jan 21, 2023

@robputt @kashifpk this is what we were discussing briefly on slack

@kashifpk
Copy link
Contributor

@shawaj @robputt - We store the private key at the HPT and the hotspots have the public key to verify the paylaod that is sent. In order to verify requests coming in at hm-diag for /version or /initFile.txt we can make some kind of signed API key that can be passed in the Authorization HTTP header.

HPT knows the miner's IP and MAC address from the DHCP lease file. So perhaps we can encrypt the miner's MAC address using the GPG key and send it to hm-diag as the access key / authorization header?

Currently the key pair is only used for signing payloads for shutdown etc but current key also supports encryption/decryption.

Suggested new flow

  1. When a new miner is detected, HPT generates a new API key by encrypting the miner's MAC address with the GPG signing key.
  2. All requests sent from the HPT to the miner contain header Authorization: Bearer <API_KEY>
  3. On hm-diag for endpoints that require it, the API_KEY is first validated (can be implemented as an authentication decorator).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants