-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
One-time-key upload/claim is racy #1124
Comments
I think the only real solution to this is for the server to remember it has recently seen and handed out a given OTK, and not hand it out a second time even if it gets uploaded again. As such, I'm not entirely convinced it is a spec issue so much as a server-side impl issue (though certainly the spec could make the necessary behaviour explicit). |
Another option would be:
The advantage is that the server wouldn't have to keep a record of issued OTKs. The disadvantage is that it means API changes, and changes client-side as well as server-side. |
This superficially feels like it could hide bugs (e.g if a client uploads a different key with a lower numeric ID, there's no evidence it wasn't stored). But other than that, I like it. |
As long as the server also checks that there isn't already a different key with the same alphanumeric ID, I don't think this would hide any more bugs than are already hidden? |
Only one of Bob or Charlie can use the key to talk to Alice.
The text was updated successfully, but these errors were encountered: