Skip to content

Consider an HTTP POST option to mitigate browser triggering #36

Description

@PeterRounce

Raised by Nicholas Burtey in the Bolt Card Telegram group.

The current (nice and simple) interface for the NFC writer app to get the keys is:

  • scan a QR code or copy an HTTPS link
  • app hits the endpoint to get the keys (endpoint is only available one time)
  • app is available to program the cards

This is designed to be simple and secure.

Nicholas has pointed out that the link could be (accidentally or on purpose) opened by a browser and then will not work, as it is one use only. This could be mitigated using an HTTP POST request.

If implemented, this should be done in a backward compatible way.
I suggest adding a parameter to the URI, e.g. use_post=true .
This can be detected by the app and a POST request made with the key passed as a paremeter.
In this case, the server should detect a GET request and respond with an error message.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions