Push Tracker
ria-ran--sim-drop/config.yaml.example
A ashkan@beigi.net 0b362bbd0b Harden: gate /api/export behind an admin token (closed by default)
/api/export returns every subscriber's Ki/OPc and was reachable unauthenticated
by any WiFi client (and directly, since Flask binds 0.0.0.0). It now requires
server.admin_token via the X-Admin-Token header (constant-time compare) and is
disabled entirely when no token is configured.

Add admin_token to config.yaml.example. Tests: +2 (disabled/401/200); 86 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 22:01:59 +00:00

37 lines
840 B
Plaintext

network:
mcc: "302"
mnc: "720"
plmn: "302720"
op_key: "63bfa50ee6523365ff14c1f45f88737d" # 16-byte hex OP key
wifi:
ssid: "Emergency-5G"
channel: 6
ip: "192.168.4.1"
subnet: "192.168.4.0/24"
dhcp_range: "192.168.4.10,192.168.4.250"
server:
host: "0.0.0.0"
port: 5000
debug: false
admin_token: "" # set a secret to enable /api/export (sent as X-Admin-Token); empty = export disabled
database:
path: "/opt/esim-provisioning/data/subscribers.db"
rate_limiting:
max_profiles_per_mac: 1
window_hours: 1
core:
type: "none" # "open5gs" | "free5gc" | "none"
mongodb_uri: "mongodb://localhost:27017"
database_name: "open5gs"
profile:
carrier_name: "Ad-Hoc Network"
profile_name: "Emergency 5G"
apn: "internet"
smdp_address: "esim.local" # LPA activation-code SM-DP+ address