-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
about app api keys and sessions #21
Comments
Hi, regarding the api key, I think that (at the moment) it simply allows you to skip the classic authentication step which involves sending your email and an hash of your password. Maybe they will add more features like effective granular permissions, analytics, expire time, etc.
A session is composed of 3 elements
They can be saved anywhere an reused without the need to re-authenticate. To understand this values, you need to understand what happens when you create an account and when your login with that account. When you create an account on mega, the browser (client-side) computes the following parameters:
Then it send to the mega server this values:
When you login you send to the mega servers:
If mega find your account, meaning that it finds the combination email+user_hash1 in its database it sends you this values:
Now, it should clear how to obtain the session values...
All this mechanism is to ensure that mega never knows your real password and your rsa private key. And now, the game is on! With this values you can query for the files metadata/content and decrypt them.
As far as I know, sessions lasts forever. PS: Can you explain better your use-case scenario and how persisting a session can help your work? |
many thanks for the time spent writing down how it works, I can describe my use case but I prefer doing it in private -- are you italian by any chance? |
@masterkain yes |
can't contact on github, can you please send a ping to masterkain@gmail.com or @masterkain on twitter? thanks! |
hello,
the mega documentation states that you need an api key to call the API, but this gem doesn't seem to provide a way to include it in requests; it's working though, so I don't understand if it's mandatory or not, do you have any more info about that?
about sessions: I saw other libraries (php, etc.) providing a way to represent and persist the session to be able to reconstruct it when needed. Do you have more information about mega sessions to share, how they roughly work, if they expire, etc.?
thanks
The text was updated successfully, but these errors were encountered: