So in order to keep things secure we decided to change the master key of our Parse Server.
Our iOS kept working because it only requires the app id, that was expected but surprisingly our PHP scripts kept running as well, even though they were initialized with the WRONG MasterKey.
Does the Parse PHP SDK completely ignore the master key change?
How could we ever prevent old php scripts who happen to have the an application key to access our Parse and "read" data?
According to the docs:
ParseClient::initialize('YOUR_APP_ID', '', 'YOUR_MASTER_KEY');
ParseClient::setServerURL('http://YOUR_PARSE_SERVER:1337/parse');
1.) Yes, the parse php sdk doesn't do any validation on the master key. The validation occurs on the side of the Parse Server you're running. Essentially the master key exists to allow overriding of ACLs as mentioned in the sdk docs. It is submitted to the server when a request is sent that asks for use of the master key.
Basically, if you make any requests that need to override ACLs and you indicate to use the master key, then the master key will be sent. In other cases the master key is not sent. You can test this out by writing up some quick code that will send the master key, like $object->save(true). In this case your master key should fail if it does not match what is loaded in the server.
2.) You really can't prevent someone from figuring out your App Id. The security you're looking for is not as much on the client's end as it is on the server's. You should be making sure to setup object and class ACLs to restrict access to all objects (and classes) that you do not want to be read (or written to) by arbitrary individuals. Roles are a fairly good way of applying this to a broad set of objects, like restricting access to an Admin role. If you lock your data down it would require someone to compromise an existing account with access to that given data, rather than just use your App Id.
That being said you should always be wary of someone who might manage to grab your master key, as it would allow them to bypass all of those ACLs you setup (keep it safe!).
I hope this helps to clarify the role of the master key for you guys.
My suggestion to you would be the following.
Use RestKey for PHP as your second argument and then IOS you can just use clientKey as your second argument.
Just ensure that you add both restKey and clientKey to your construct server side.
my working swift3 example too!
let configuration = ParseClientConfiguration {
$0.applicationId = PARSE_APP_KEY
$0.clientKey = PARSE_CLIENT_KEY
$0.server = PARSE_URL
$0.isLocalDatastoreEnabled = true
}
Parse.initialize(with: configuration)
EDIT /QUOTE:
If you take a look in ParseClient::initialize the master key is stored in the static var $masterKey. This is used in ParseClient::_getRequestHeaders (when master key use is requested) to provide the X-Parse-Master-Key header with the master key as the value.
The master key is definitely used, but it depends on the request. If $useMasterKey is false for a given request in ParseClient::_request (the default value is false as well) the master key will not be added to the request headers. In such a case the master key will not be used, but this is expected behavior.
Related
Everything is more or less said in the title. When I start the sentry sdk I have a dsn string that I have to write in my code to initialize it. I was wondering if I can hardcode this string or if I have to store it somewhere else. I wonder if it is dangerous or not. Thanks in advance.
Example of initialization: Sentry.init("https://examplePublicKey#o0.ingest.sentry.io/0")
This is a public address. The DSN string only allows events to be sent to a Sentry project. It doesn't give access to retrieve any data from it nor it can be used to execute any operation on your behalf. If for some reason it gets abused (bogus events start coming in), you can easily discard that DSN and create a new one.
I had a fully functional encrypt/decrypt method set with Laravel, I tested it properly and was working fine.
The other day I received an error saying The Payload is Invalid and started debugging: looks like the function is not working. So I tested again but it works fine if I'm the one creating the encrypted records, which doesn't make sense because it should either work or fail every single time. Again, the method is a simple encrypt/decrypt of a column named password in the database on a table named servers.
Any idea what the problem may be? Is it possible that Laravel encrypts for a specific user? If so, how can I encrypt for multiple users?
I found a solution changing the encryption mechanism from
encrypt() -> decrypt()
to
Crypt::encryptString() -> Crypt::decryptString()
If anybody has an explanation why the second method works where the first doesn't, feel free to expand and you'll have my upvote
I was trying to deploy a simple TURN server using coturn.
When I test it on Trickle ICE (turn:rtc.jackxujh.me:3478 [webrtc:mighty]), Trickle ICE says "Authentication failed?".
The coturn server keeps reporting this error:
ERROR: check_stun_auth: Cannot find credentials of user
Here is the complete turnserver.conf I am using (by uncommenting lines of the coturn sample conf):
external-ip=39.108.74.114/XXX.XXX.XXX.XXX #(XXX is internal IP)
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=XXXXXXXX... #(XXX is the secret)
realm=rtc.jackxujh.me
user=webrtc:0xXXXXXXXX... #(XXX is the key)
cert=/etc/letsencrypt/live/rtc.jackxujh.me/cert.pem
pkey=/etc/letsencrypt/live/rtc.jackxujh.me/privkey.pem
mobility
I find a related discussion on GitHub, but I don't feel there is a solution at the end.
In fact, I am confused whether my conf file is using TURN REST API or not.
Meanwhile, I tried to check if there was a user named webrtc in turndb, by using # turnadmin -l, but the output was nothing. (Is this command correct?)
In fact, I am confused whether my conf file is using TURN REST API or not.
I can confirm You use REST API because use-auth-secret is set
use-auth-secret
So you need to use a unixtimestamp as username, and the hashed password..
user=timestamp:userid
password=base64(hmac(secret key, user)
Read more about the difference of Long-Term-Credential and REST:
https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
If you want to use normal username/password use the long-term-credential so remove use-auth-secret
and set it statically or in db
user=username1:key1
turnadmin
turnadmin -l
list static and db users.
So in case of REST is correct the empty list.
I have the following scenario:
Server A:abpWeb;
Server B:abpWeb;
A and B are based on MyCompanyName.AbpZero template, abp. Net core version 3.1.1;aspnetboilerplate
Browser access A:abpWeb and B:abpWeb. But after logging in, cookie shared is invalid.
A:User.Identity?.IsAuthenticated equals true after Browser access A:Login;
But refresh B:/index on the browser,B:User.Identity?.IsAuthenticated equals false;
The same browser domain for A and B is the same.
I created two new ASP.NET Core 2.0 MVC apps with ASP.NET Core Identity, using AddDataProtection for the normal shared cookie is ok.
I referred to:
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?tabs=aspnetcore2x
I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
Thanks in advance.
The keys that encrypt/decrypt your cookies are probably trying to be written to an invalid folder.
By default AddDataProtection tries to write these keys to:
%LOCALAPPDATA%\ASP.NET\DataProtection-Keys
As long as there is an environment variable being used to create the keys path, you will need to set the following config file setting to true.
Please also see my other answer here:
IIS - AddDataProtection PersistKeysToFileSystem not creating
Fix: Within %WINDIR%\System32\inetsrv\config\applicationHost.config set setProfileEnvironment=true. I think you have to restart IIS as well.
After a research it seems that Meteor Sessions are reset after refreshing page or opening the website in new tab, i.e. they are not usual server-side sessions but something like global javascript variables on client-side. Some people advice to use AmplifyJS, but I'm not sure that it will work like usual session in other frameworks/languages and also it is a third party library, so is there any normal way to use sessions in Meteor, i.e. keep user-specific data on server?
At this moment I'm handling that by using custom Collections, but it is not an ideal way of doing that because it is needed to remove expired values from Collection manually, which makes additional troubles.
Yes this is correct. Despite the name Session is nothing like a cookie, but just a reactive form of a variable stored in a hashmap
To keep data persistent across tabs you need to use a Collections (as this is the only way to reactively share data across tabs) - Cookies can't work because they can't be made reactive as data needs to be sent to the server to notify the client when there is a change. There really wouldn't be another way at the moment as the publish/subscribe methods can only send down data from collections at the moment.
You can use your setup you have now with your custom collection. You can use a server side cron job to remove expired data (either with Meteor.setInterval or Tom Coleman's cron.
There is a package developed just for that: https://atmospherejs.com/u2622/persistent-session
After installation you can use the following functions to set sessions which are persistent:
//store a persistent session variable which is stored across templates
Session.setPersistent(key, value);
//same as above, but automatically deletes session data when user logs out
Session.setAuth(key, value);
I've tried the package and it works like charm.