benih wrote in Mon May 03, 2021 11:45 am:When receiving a new pilot, the MP-Server:
1. query the SQL db if the callsign is claimed (additionally check against last login or something like that, so long-time-unused callsignes can be reclaimed)
2a. If no, let the pilot proceed
2b. If yes, check the supplied password against the DB, and if succeeding, proceed.
Point
2b has a vulnerability. FGclient and MPserver dont have a encrypted connection.
Transmitting password over this connection is realy bad.
A possible way will be tokens:
1 ) if the user want to connect to a MPserver, FG will show a dialog to enter the Callsign and a checkbox for 'registered user'.
2 ) if the user uncheck the box, FG will try to connect the MPserver with 'callsign=FOOO/token=null'
3 ) if the user checks the box, he/she should enter (Forum)'username' and 'password',
FG open a secure connection to the DB and request a token for this credential
4 ) if the credencials are correct, the DB generate a token and send the token back to the FGclient
if the credencials are not correct, the DB answers with a failure (or 'token=null') and the FGclient will show it inside the dialog
5 ) if FGclient receive a valid token, it connects to the MPserver with 'callsign' and 'token'
6 ) the MPserver send the 'callsign' to the DB
7 ) the DB answers with the valid 'token'
8 ) if the token is correct, the user is registered and can use this callsign
On the MPserver side:
if the server receive a connection with a 'callsign' but empty token ('token=null'), its allowed as long as no other user use this callsign
if the server receive a connection with a 'callsign' and 'token', it will check it against the DB
- if it is correct, the user can use this callsign ... if another user use this callsign allready, it will be kicked
- if it is not correct, it will drop the connection
This way, the MPserver know who is registered and who is not ... it can also display it on the map with colored callsigns or the callsign from unregistered users are in parentheses or brackets.
This way we need a encrypted connection only to the DB.
The DB need 2 new requests:
1 ) a 'create-token' for the FGclients, respond with the new token (valid if correct credencials are received, otherwise a invalid token '0000…')
2 ) a 'check-callsign' for the MPserver, respond with the token (valid if there is a valid token, otherwise a invalid token '0000…')
The token can be valid for some minutes, because we need it only to verify the user and between the 'create-token' from FGclient and 'check-callsign' from MPserver will not elapse so much time.