Raised by Nicholas Burtey in the Bolt Card Telegram group.
The current (nice and simple) interface for the NFC writer app to get the keys is:
- scan a QR code or copy an HTTPS link
- app hits the endpoint to get the keys (endpoint is only available one time)
- app is available to program the cards
This is designed to be simple and secure.
Nicholas has pointed out that the link could be (accidentally or on purpose) opened by a browser and then will not work, as it is one use only. This could be mitigated using an HTTP POST request.
If implemented, this should be done in a backward compatible way.
I suggest adding a parameter to the URI, e.g. use_post=true .
This can be detected by the app and a POST request made with the key passed as a paremeter.
In this case, the server should detect a GET request and respond with an error message.
Raised by Nicholas Burtey in the Bolt Card Telegram group.
The current (nice and simple) interface for the NFC writer app to get the keys is:
This is designed to be simple and secure.
Nicholas has pointed out that the link could be (accidentally or on purpose) opened by a browser and then will not work, as it is one use only. This could be mitigated using an HTTP POST request.
If implemented, this should be done in a backward compatible way.
I suggest adding a parameter to the URI, e.g.
use_post=true.This can be detected by the app and a POST request made with the key passed as a paremeter.
In this case, the server should detect a GET request and respond with an error message.