ROBERT Client API Spec issueshttps://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues2020-08-21T17:06:07+02:00https://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues/6Limit bandwidth and increase performances with Protocol Buffer2020-08-21T17:06:07+02:00Florent MorinLimit bandwidth and increase performances with Protocol BufferBy using Protobuf instead of JSON, bandwidth usage can be significantly decreased.
For example, bytes are stored as bytes, and not as Base64 string.
It also works fine for enum, which are not strings but enum.
And more.
Even with compre...By using Protobuf instead of JSON, bandwidth usage can be significantly decreased.
For example, bytes are stored as bytes, and not as Base64 string.
It also works fine for enum, which are not strings but enum.
And more.
Even with compression (ie. Gzip), Protobuf is better.
And, for energy consumption on devices, Protobuf offers better performances than JSON.https://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues/5External users can contribute to the project?2020-06-06T02:16:50+02:00gdarquieExternal users can contribute to the project?Hello,
Apparently new gitlab.inria susbcribers (externals) can't fork a project (we haven't the permission to create a new project).
Is there a way we can make some merge request?
Hello,
Apparently new gitlab.inria susbcribers (externals) can't fork a project (we haven't the permission to create a new project).
Is there a way we can make some merge request?
https://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues/4Clear JSON?2020-06-06T00:38:08+02:00Florent MorinClear JSON?Is there anything to encrypt JSON data?
Something more secure than HTTPS only? _(open to MitM via network or mobile VPN attacks)_
An end-to-end encryption based on:
* generated public keys for client and server via HKDF
* securely sto...Is there anything to encrypt JSON data?
Something more secure than HTTPS only? _(open to MitM via network or mobile VPN attacks)_
An end-to-end encryption based on:
* generated public keys for client and server via HKDF
* securely stored keys in the app (private client / public server)
* salt can be based on timestamp
JSON can be encrypted with these shared keys.
And, for a better security, in-app keys can be used only once for `/register`, by providing a client public key for future exchanges.
In `/register`, server can send its own public key.
And, after that, JSON can be encrypted using new keys.
Keys can rotate after each exchange.
It becomes really difficult, after cracking HTTPS, to understand what happened.
Because everything start on the first HTTPS connection, it's difficult to obtain dynamic keys.
[Themis](https://github.com/cossacklabs/themis) open-source framework is available for Swift, Java and more.https://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues/3API Rate Limit2020-06-06T02:08:44+02:00Florent MorinAPI Rate LimitIs there an API Rate Limit by client? (to avoid overflow)Is there an API Rate Limit by client? (to avoid overflow)https://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues/2`/register`: only captcha to obtain ids?2020-06-06T00:36:01+02:00Florent Morin`/register`: only captcha to obtain ids?Google CAPTCHA is good to ensure a human use the app.
But it's not a really secured authentication process.
It can be cracked by "Mechanical Turk" API. (ie. [2CAPTCHA](https://2captcha.com))
_(and, on client side, the usage of web vie...Google CAPTCHA is good to ensure a human use the app.
But it's not a really secured authentication process.
It can be cracked by "Mechanical Turk" API. (ie. [2CAPTCHA](https://2captcha.com))
_(and, on client side, the usage of web view is potentially dangerous for runtime security)_https://gitlab.inria.fr/stopcovid19/robert-client-api-spec/-/issues/1Client authentication?2020-06-06T13:32:37+02:00Florent MorinClient authentication?Client authentication don't appear.
No `Authorization` header or things like this.
`ES256` JWT tokens generated by client with a shared rotating key and integrating path in signature can be a good starting point?Client authentication don't appear.
No `Authorization` header or things like this.
`ES256` JWT tokens generated by client with a shared rotating key and integrating path in signature can be a good starting point?