Security of the post API

[GeeF]

Maybe I'm missing something, but from what I see, the permission to post data for a specific sensor node is solely based on its id? That could potentially be bad, as you can get ids that are activated pretty easily.

[ricki-z]

Can you tell me how to get another activated id beside your own?

[GeeF]

Again, maybe I'm getting it wrong. It's just an idea. I was looking at: https://www.madavi.de/sensor/graph.php?showfloat Sensors are named e.g. "esp8266-10666457-sds011" where "10666457" is the ID, right? If it's not, I rest my case :)

[ricki-z]

The "feinstaub-api" and the server generating these graphics are independent.
Not every sensor in the "feinstaub-api" is sending to madavi api. And some of the sensors shown there aren't sending to "feinstaub-api". Even some of the sensors not marked red if they are "known".
Example: esp8266-906538 is shown on madavi.de but should be denied by api.luftdaten.info

[GeeF]

But there are at least some? Anyway, its a 6 digit ID, you could easily brute force it and generate garbage data. Maybe allow the exchange of a shared secret for 24 hours after activating an ID? That wouldn’t put any more work on the users side.