Adds Admin session_passkey to prevent replay of admin packets #558
Conversation
|
@garthvh Do you request the config when a user goes into the settings or only after "Save"? Would also be good to know this for other clients, as otherwise 120 seconds will be too tight, especially with slow LoRa settings and when it goes over multiple hops. |
I don't do anything yet, so we can set it up however makes sense and it will likely get used by the other clients |
|
I mean how remote admin is currently implemented. Probably you first request the config to be able to show the current settings? If the user then afterwards still has to choose the new config, that will likely take too much time. |
|
We could even add new admin get_sessionkey and get_sessionkey_response messages, just to get an updated sessionkey. |
|
That sounds a bit too much of a hassle. I think going from 120 to 300 should give enough margin either way, and it's not a big deal that someone can re-apply the changes you made 5 min. ago. |
Adds a session passkey for admin operations. When the remote node responds to any get_x request, it will include the session passkey in the response. When the local client tries to make any admin changes, the remote node expects that session key to be set. The session key will expire after a short time, currently 120 seconds.