Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue here? #9

Closed
umaxfun opened this issue Dec 9, 2015 · 4 comments
Closed

Security issue here? #9

umaxfun opened this issue Dec 9, 2015 · 4 comments

Comments

@umaxfun
Copy link

umaxfun commented Dec 9, 2015

Hi,

Now application url to be authorized is https://data-mind-687.appspot.com, however readme says that URL should be https://www.amazon.com/ap/oa?client_id=...

$ clouddrive init
Initializing...
Initial authorization is required
https://www.amazon.com/ap/oa?client_id=...

What app is being authorized to view my files? %)
@alex-phillips
Copy link
Owner

@umaxfun This is an update required for the README. The "amazon.com" URL listed is the URL that would be used to authorize the app if you provided your own API credentials in the config. If no credentials are provided, the "data-mind" URL is used which is simply an endpoint to allow users to use the app using my personal API credentials so they don't have to apply for their own and whitelist a security profile. This is just an endpoint so that my credentials (API key and secret) are kept secret to me.

I can post the code that data-mind uses in another repo if you would like for users to view the code, however, all it is doing is authorizing my credentials to generate an access / refresh token for your account and passing it back down to your instance of this CLI app.

If you would prefer not to use my credentials and not authorize the app, you are more than welcome to use your own credentials. Sorry for any confusion!

@alex-phillips
Copy link
Owner

@umaxfun I've posted the endpoint code here that runs on the "data-mind" URL. https://github.com/alex-phillips/clouddrive-endpoint

@umaxfun
Copy link
Author

umaxfun commented Dec 10, 2015

Alex, thank you for clarification on that! Is it true that your app potentially has access to my storage account if I authorise via it?

@alex-phillips
Copy link
Owner

'Authorizing' the application means to use my credentials to generate an access token that is in turn used to access your account. This token allows the API to communicate to your account and your account only. Without it, no access is permitted. The only piece of software that is storing this token is locally on your machine. If I were storing the tokens from each authorization request, then I could potentially use that to gain access, but I'm not.

I'd like to point out that this is the case for any apps with non-public API access (Facebook, Twitter, Google, etc.). Any of these apps essentially work the same way. I'd like to make this project as transparent as possible as I understand the importance of personal data. I use cloud drive myself heavily. If there's anything else I can do to help with that, please let me know.

I completely understand if you're not comfortable with this, but don't let it prevent you from using this project. I've built it so if you'd like to aquire your own credentials from Amazon, simply plug those into the config and there will be absolutely no communication except directly to Amazon. This 'endpoint' is just a way to allow for people to use this project with their own accounts without having to go through the entire development center at Amazon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@umaxfun @alex-phillips