I want to access facts from the UnverifiedBiscuit token authority block in the early request-processing middleware layers.
Two use cases are fine to run on untrusted data and not pay the signature verification cost too early:
- Use an unverified
session_id fact as a prefix for the trace_id of the root tracing span to group events from the same session together. The risk for spoofed session_id is a grouping of log events together with the same session_id of a legitimate active client.
- Use unverified security metadata facts to check
proof-of-work solution for device/session-specific challenge against bots and automation. PoW validation logic does 16 SHA256 hashes, which is faster to calculate than Ed25519 signature verification. PoW validation will fail if token facts are spoofed, because these facts were used in the challenge hash preimage.
Also, it is possible to check the token expiration time to reject expired tokens early without doing PoW validation/signature verification.
I want to access facts from the
UnverifiedBiscuittoken authority block in the early request-processing middleware layers.Two use cases are fine to run on untrusted data and not pay the signature verification cost too early:
session_idfact as a prefix for thetrace_idof the root tracing span to group events from the same session together. The risk for spoofedsession_idis a grouping of log events together with the samesession_idof a legitimate active client.proof-of-worksolution for device/session-specific challenge against bots and automation. PoW validation logic does 16 SHA256 hashes, which is faster to calculate than Ed25519 signature verification.PoWvalidation will fail if token facts are spoofed, because these facts were used in the challenge hash preimage.Also, it is possible to check the token expiration time to reject expired tokens early without doing
PoWvalidation/signature verification.