New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue here? #9
Comments
@umaxfun This is an update required for the README. The "amazon.com" URL listed is the URL that would be used to authorize the app if you provided your own API credentials in the config. If no credentials are provided, the "data-mind" URL is used which is simply an endpoint to allow users to use the app using my personal API credentials so they don't have to apply for their own and whitelist a security profile. This is just an endpoint so that my credentials (API key and secret) are kept secret to me. I can post the code that data-mind uses in another repo if you would like for users to view the code, however, all it is doing is authorizing my credentials to generate an access / refresh token for your account and passing it back down to your instance of this CLI app. If you would prefer not to use my credentials and not authorize the app, you are more than welcome to use your own credentials. Sorry for any confusion! |
@umaxfun I've posted the endpoint code here that runs on the "data-mind" URL. https://github.com/alex-phillips/clouddrive-endpoint |
Alex, thank you for clarification on that! Is it true that your app potentially has access to my storage account if I authorise via it? |
'Authorizing' the application means to use my credentials to generate an access token that is in turn used to access your account. This token allows the API to communicate to your account and your account only. Without it, no access is permitted. The only piece of software that is storing this token is locally on your machine. If I were storing the tokens from each authorization request, then I could potentially use that to gain access, but I'm not. I'd like to point out that this is the case for any apps with non-public API access (Facebook, Twitter, Google, etc.). Any of these apps essentially work the same way. I'd like to make this project as transparent as possible as I understand the importance of personal data. I use cloud drive myself heavily. If there's anything else I can do to help with that, please let me know. I completely understand if you're not comfortable with this, but don't let it prevent you from using this project. I've built it so if you'd like to aquire your own credentials from Amazon, simply plug those into the |
Hi,
Now application url to be authorized is https://data-mind-687.appspot.com, however readme says that URL should be https://www.amazon.com/ap/oa?client_id=...
What app is being authorized to view my files? %)
The text was updated successfully, but these errors were encountered: