Different approach to authentication #29

Open
wants to merge 6 commits into
from

Projects

None yet

1 participant

@v4lli
v4lli commented Apr 10, 2012

Hi there,
I've been using Scrup for a few weeks now and have fallen in love with it, but the authentication-thing has also been bugging me.

I understand that transmitting a secret key together with an upload request over an insecure connection is not "secure" either (as you mentioned in the PR of 16a2da6), but there are a few points to this change:

  • Any authentication is better than none at all
  • SSL solves this problem
  • Although possibly insecure over-the-cable, it prevents malicious users from uploading anything to your server
  • The "default" can still be the simple method that does not require a key

So, I took the freedom of forking your code and came up with this:
New 'Secret' input field
Warning dialog on insecure connections

I've also thought about enforcing the use of HTTPS if the secret is set (as you suggested), but I came to the conclusion that this may be limiting pro-users.

I tried to keep it simple, please let me know what you think! I'd really like to see such a feature in Scrup, but probably don't have the experience to properly maintain a fork for long. :o

Also, please be gentle with my Objective-C, it's not exactly my every-other-day language. :-)

v4lli added some commits Apr 10, 2012
@v4lli v4lli Update XCode Project to Mac OS 10.7 and XCode 4.3.2
Also remove some obsolete build parameters (suggested by XCode)
8eaeb40
@v4lli v4lli Send base64 encoded security token in the HTTP-Header
This adds a new NSTextfield for a "secret key" which is sent with the
image's upload request.
OpenSSL is used to base64-encode the token, as a HTTP Header needs to be
7Bit ASCII clean, as per RFC1945.
2ef2929
@v4lli v4lli Make recv.php check for the secret
Use the $_SERVER array to get to the HTTP-Request-Header data.
016353b
@v4lli v4lli Save the secret to the dictionary so it doesn't get lost on restarts 682a0f9
@v4lli v4lli Make it possible to return the http-link over HTTPS
This may be usefull to people with a self-signed SSL certificate, which
they themselves have marked as valid, but other people receiving the link might
not.
4ebc064
@v4lli v4lli Warn user about the security issue when using HTTP + Auth
The user may choose to re-edit the URL or ignore the error, for ever
(saved to NSUserDefaults).
837d0db
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment