Consider an HTTP POST option to mitigate browser triggering

[PeterRounce]

Raised by Nicholas Burtey in the Bolt Card Telegram group.

The current (nice and simple) interface for the NFC writer app to get the keys is:

• scan a QR code or copy an HTTPS link
• app hits the endpoint to get the keys (endpoint is only available one time)
• app is available to program the cards

This is designed to be simple and secure.

Nicholas has pointed out that the link could be (accidentally or on purpose) opened by a browser and then will not work, as it is one use only. This could be mitigated using an HTTP POST request.

If implemented, this should be done in a backward compatible way.
I suggest adding a parameter to the URI, e.g. use_post=true .
This can be detected by the app and a POST request made with the key passed as a paremeter.
In this case, the server should detect a GET request and respond with an error message.

[robertclarkson]

Yeah sounds good.
I wonder if we allow direct QR code key transfer as well (assuming possible) while we're at it?
This would allow setup without any network requests. What do you think?

[PeterRounce]

I'm not so keen on keys in QR code fo these reasons:

• It widens the key exposure
• It's good to find out if the service is not accessable by https:// early on
• The service needs to be online for the app programming test to pass