I've been using Scrup for a few weeks now and have fallen in love with it, but the authentication-thing has also been bugging me.
I understand that transmitting a secret key together with an upload request over an insecure connection is not "secure" either (as you mentioned in the PR of 16a2da6), but there are a few points to this change:
So, I took the freedom of forking your code and came up with this:
I've also thought about enforcing the use of HTTPS if the secret is set (as you suggested), but I came to the conclusion that this may be limiting pro-users.
I tried to keep it simple, please let me know what you think! I'd really like to see such a feature in Scrup, but probably don't have the experience to properly maintain a fork for long. :o
Also, please be gentle with my Objective-C, it's not exactly my every-other-day language. :-)
Update XCode Project to Mac OS 10.7 and XCode 4.3.2
Also remove some obsolete build parameters (suggested by XCode)
Send base64 encoded security token in the HTTP-Header
This adds a new NSTextfield for a "secret key" which is sent with the
image's upload request.
OpenSSL is used to base64-encode the token, as a HTTP Header needs to be
7Bit ASCII clean, as per RFC1945.
Make recv.php check for the secret
Use the $_SERVER array to get to the HTTP-Request-Header data.
Save the secret to the dictionary so it doesn't get lost on restarts
Make it possible to return the http-link over HTTPS
This may be usefull to people with a self-signed SSL certificate, which
they themselves have marked as valid, but other people receiving the link might
Warn user about the security issue when using HTTP + Auth
The user may choose to re-edit the URL or ignore the error, for ever
(saved to NSUserDefaults).