This repository has been archived by the owner on Mar 25, 2019. It is now read-only.
zooniverse server doesn't complain about uploads with incorrect ApiKey in the Authorization. #184
Comments
murraycu
added a commit
to murraycu/ios-galaxyzoo
that referenced
this issue
May 18, 2015
… encoding. With this, the server reports a successful upload, but I don't see it yet the uploads yet on my profile page: http://www.galaxyzoo.org/#/profile/recents/1 Something else must be wrong. We already know that the server can report success when the apiKey is wrong, for instance: zooniverse/Galaxy-Zoo#184 However, in this case our Authentication header does seem to be exactly the same as what android-galaxyzoo uses for the same login, and that still works.
murraycu
added a commit
to murraycu/android-galaxyzoo
that referenced
this issue
May 21, 2015
By asynchronously caching the login status (async because we are asking the AccountManager, not being we are asking the server) in onResume() and using that in onPrepareOptionsMenu(). However, this will incorrectly show the user as logged in if they change their password on the web server - clients have no way to check that the api_key is still valid, even when using the api_key to submit a classification: zooniverse/Galaxy-Zoo#184 This fixes this issue: #18
murraycu
added a commit
to murraycu/android-galaxyzoo
that referenced
this issue
May 21, 2015
By asynchronously caching the login status (async because we are asking the AccountManager, not being we are asking the server) in onResume() and using that in onPrepareOptionsMenu(). However, this will incorrectly show the user as logged in if they change their password on the web server - clients have no way to check that the api_key is still valid, even when using the api_key to submit a classification: zooniverse/Galaxy-Zoo#184 This fixes this issue: #18
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I guess this is a server bug, but the server isn't open source, so I'm reporting it here.
In the android app that I'm developing, I've noticed that the server doesn't care what ApiKey value you put in the Authorization when uploading classifications. It will return an OK_CREATED response code whatever you provide.
I think there's also no way for the client to check that its ApiKey is still valid, because login requires a password, not the ApiKey.
Presumably, when a user changes their password on one computer (or browser), and then uses another computer (or browser), on which they were previously logged in, their contributions will silently become anonymous.
If you can't test this easily otherwise, you can try changing this code in the android app to specify a garbage authApiKey:
https://github.com/murraycu/android-galaxyzoo/blob/master/app/src/main/java/com/murrayc/galaxyzoo/app/provider/client/ZooniverseClient.java#L296
The text was updated successfully, but these errors were encountered: