• State Verified Answer
  • Replies 1 reply
  • Subscribers 71 subscribers
  • Views 2256 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 113656
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

read and write authorisation

andrewjfox

Hi all,

I'm want to have an additional user authorisation process in my peripheral device by having a special characterisitic that the central has to write an encoded value to, before it can get read/write access to the rest of the characterisitics. When the central writes the correct value to this special char, then the peripoheral application sets a flag. When the central tries to write to a protected characterisitic, the application checks the flag and if not set, it returns INSUFFICIENT AUTHORISATION response.

A colleague has recently informed me that the BT spec requires that any central must be able to read/write to characterisitics (in this case the application must then ignore values that have been written if central is not authorised). My understanding, however, is that all characeristics must be discoverable, but allowing read/write of char values is at application discretion.

This is my first BT device so haven't been through the certification process. Is anyone able to clarify read/write authorisation requrements.

Thanks in advance

  • 0

    Your understanding is correct. Any client can read the GATT table, however any characteristic, unless it's specified that it must be open for reading and writing, and some standard ones are specified as such, can require authorization to read or write it and you can implement that any way you choose.

    Any client can attempt to read or write any handle, but you can decide whether it's allowed or not. For unauthorized reads you send back no data, just an error, for writes, you can just toss away whatever was sent to you and send back an error. Obviously the stack takes care of actually sending the error back for you.

    Insufficient Authorization is the appropriate response code in that case.

    Have a look at something like section 3.4.4.3 Volume 3 Part F of the spec (I'm looking at the 4.2 spec) which gives a list of valid responses to a read request starting with those pertaining to encryption, then the ones pertaining to authorization (your case here) and ending with a 'read not permitted' if that characteristic is generically not readable. There's similar sections for writes. I believe you are doing the correct thing here.

Related
Terms of service