While using Hawk for authentication (bug 962831) we need to check nonces in a robust way to prevent replay attacks. We will already have a timestamp expiration; nonce checking is a way to limit replays before the timestamp expires. We need to use something like redis to store the nonce temporarily (until the timestamp expires) to reject duplicate nonces.
Priority: -- → P3
Assignee: nobody → kumar.mcmillan
Depends on: 976729
nonce checking with Django cache is implemented here: https://github.com/mozilla/apk-signer/commit/5acae04643f943b1c6d5f5ea695bd8bf48a20eeb Right now it uses memory cache but once we have memcache (bug 976729) it should work just the same
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-03-04
Please add some STRs to this bug or mark it as [qa-]
Whiteboard: [A4A] → [A4A][qa-]
You need to log in before you can comment on or make changes to this bug.