martedì 28 febbraio 2017

One Time Action token-based - First Part


Hi Folks,
I have a new problem.

Actually, I'm managing a service to submit purchase orders (OMS - orders management service).

Many 3rd parties clients submit requests to OMS, in the last months I noticed many double requests (two requests with the same charateristics) from some types of client. 
This type of dynamic create some problem to the back office operation beacuse many of these requests aren't correct request.

My idea is to add a token to order submit request in order to:

  1. Track the request
  1. Block erronous requests

The idea is based on the concept OTP (One-Time Password): https://en.wikipedia.org/wiki/One-time_password and to create a Token LifeCycle  Manangement Service (TLCMS)

Unfortunately, I don't use an API Gateway (eg, use a BEARER token) and the service uses a stateful approach so I need to construct all elements to create the requirement.

First step: Token Generation

I like something li firebase token generator: https://github.com/firebase/firebase-token-generator-java

Adding an encription phase based on DES or other: it's easy to find some resources:


The flow is this:

  • TLCMS receives a request from a client, the reuqest can contain some information on order or other information related to the request to protect with the token
  • TLCMS generates a JSON payload from information
  • TLCMS serialize  a JSON payload in a string
  • TLCMS encrypts string
  • TLCM apply BASE64 encoder to string.
  • TLCM gets the the string as token to client.

This token will be used in the header of http request to enable the action execution.


See you on...

Nessun commento:

Posta un commento