How safe is it to use an imp? What prevents someone from controlling your imp?

To send messages to your imp with a HTTP request, you need to go to a link. What is stopping someone from guessing a link?
Don’t you think that there should be a password that must be entered when you go to the link in order for the request to be sent.

you can program that sort of things yourself

how? I cannot edit the code for that website that says “OK”. Also you would have to do this on the server. how would you do that…

That is something that is up to you, as the developer.

This functionality isn’t available with HTTP In nodes… but if you’re working with HTTP requests, you should be asking for beta access, and using agents instead.

Using agents, and http.onrequest(), you can look at the headers (for auth, or anything else you want), and send back much more complicated responses (adding headers, a body, and selecting what the HTTP status code should be).

@beardedinventor Do you have any nifty Squirrel code that could be run on the Imp to generate a nice key for authenticating HTTP connections?

I don’t think we have any code on-hand for this.

The easiest way would likely be to hardcode some unique key, and require it as an api-key header:

`apiKey <- “1124582b-3ad7-456f-931d-a12012011bea”;

http.onrequest(function(req, resp) {
if (“api-key” in req.headers && req.headers[“api-key”] == apiKey) {
// process request

    resp.send(200, "OK");
} else {
    // user was not authorized
    resp.send(401, "Unauthorized");


I haven’t tested that (I just wrote it now)… but it should work, or at least give you an idea of how that flow might work?

edit: if you’re using this method, make sure you use HTTPS so the headers aren’t visible.

I didn’t even think about sending it in the header… I was just going to send it in the body. I always use HTTPS… didn’t think you could talk to the agent without it. Are there any benefits to sending it in the header?

Best practice mostly - you typically don’t send authenticating information as part of the body of the request.

Got it. Just added an APIKey header to each of the control panels in my new iOS app… now for the agent code…

…and the code works nicely.

The above example is probably vulnerable to Timing Attack.
There’s a great article about why you shouldn’t code authentication mechanisms yourself: You are dangerously bad at cryptography

Have a great read :slight_smile:

Perhaps, but I think we can agree that it is better than no authentication method at all. I don’t pretend anything other than a general understanding of how cryptography works, but I do intend to implement new security methods as they become available with firmware updates.

@omri not sure it’s vulnerable to a timing attack, because the APIkey validation is being done in a VM environment with a thoroughly random load from other agents, and with a lot of other stuff happening. There’s a lot of timing noise there.