Different approach to authentication #29

wants to merge 6 commits into


None yet

1 participant

v4lli commented Apr 10, 2012

Hi there,
I've been using Scrup for a few weeks now and have fallen in love with it, but the authentication-thing has also been bugging me.

I understand that transmitting a secret key together with an upload request over an insecure connection is not "secure" either (as you mentioned in the PR of 16a2da6), but there are a few points to this change:

  • Any authentication is better than none at all
  • SSL solves this problem
  • Although possibly insecure over-the-cable, it prevents malicious users from uploading anything to your server
  • The "default" can still be the simple method that does not require a key

So, I took the freedom of forking your code and came up with this:
New 'Secret' input field
Warning dialog on insecure connections

I've also thought about enforcing the use of HTTPS if the secret is set (as you suggested), but I came to the conclusion that this may be limiting pro-users.

I tried to keep it simple, please let me know what you think! I'd really like to see such a feature in Scrup, but probably don't have the experience to properly maintain a fork for long. :o

Also, please be gentle with my Objective-C, it's not exactly my every-other-day language. :-)

v4lli added some commits Apr 10, 2012
@v4lli v4lli Update XCode Project to Mac OS 10.7 and XCode 4.3.2
Also remove some obsolete build parameters (suggested by XCode)
@v4lli v4lli Send base64 encoded security token in the HTTP-Header
This adds a new NSTextfield for a "secret key" which is sent with the
image's upload request.
OpenSSL is used to base64-encode the token, as a HTTP Header needs to be
7Bit ASCII clean, as per RFC1945.
@v4lli v4lli Make recv.php check for the secret
Use the $_SERVER array to get to the HTTP-Request-Header data.
@v4lli v4lli Save the secret to the dictionary so it doesn't get lost on restarts 682a0f9
@v4lli v4lli Make it possible to return the http-link over HTTPS
This may be usefull to people with a self-signed SSL certificate, which
they themselves have marked as valid, but other people receiving the link might
@v4lli v4lli Warn user about the security issue when using HTTP + Auth
The user may choose to re-edit the URL or ignore the error, for ever
(saved to NSUserDefaults).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment