I want to supply my users a Dropbox access token trough my Parse server.
For the one who don't know, Dropbox access token is a string that supplies direct access to a dropbox account files, it should be secret, because if anyone finds it he can delete all the files.
My server should store many access tokens and it should supply the user the correct token, but the problem is that because the anonymous log in i'm afraid that if someone will know the parse server key, he could get all the secret dropbox access tokens.
In first place i supply the access tokens in server for security reasons and not put it hard coded to protect it.
But what's the difference if i put the parse key hard coded?
Is there a way to handle this?
thanks.
Yes you are correct. If somebody knows your ApiKey he can query your parse server without any problem unless you use ACL
ACL is access control list which allows you to decide (on the application level) which users/roles can read or write to one or more parse objects or parse users. In runtime Parse will check if the logged in user has an access to read or write the object and only if it will have an access it will return the results to the client.
So i suggest you to protect your users/tokens with ACL's if you like to protect only the access tokens then i suggest you to create a separate class that will store the user access token and in this class you need to create an ACL for the relevant user only.
You can read more about ACL's in here:
iOS SDK
Android SDK
JavaScript SDK
Related
Plaid and security newbie here.
From what I understand, access tokens are valid indefinitely, granting the user access to information regarding one of their accounts.
Each account possesses a unique access token, and the tokens can only be invalidated either through the 'delete' request or through a user changing their password for that specific bank/account.
I'd like to keep them secure, and reduce the risk of them being accessed by hackers/nefarious actors, etc.
What would be the best way to store them though?
From what little I know, it might be best to keep them in the backend and use them when needed to access user data on request, then send that resultant data to the frontend (with other protections in place like verification and authentication of the user).
Is there a more secure way to store them? Perhaps to encrypt them between calls?
And a follow-up, any thoughts on storing these tokens in something like Supabase? From what I've read and seen, Row Level Security might help mitigate some of the risk, no?
Your general thinking seems right to me -- access tokens should be stored in an access-controlled database on the backend and never stored on the client side. Encrypting access tokens at rest is recommended but not required. As you think about your security model, note that that the access token alone doesn't grant data access -- the access token + API client ID + API secret key combination is required for data access.
I am building an application where I need to generate PDF and save it on disk. However the file can only be access on authorization i.e. only loggedin user let's say with user role Admin can access the file and no one else can access those file.
Please guide me how can I achieve this.
I recommend using Spring-Security..
I'm no expert in Spring-Security, but what I would do initially is have an endpoint with #PathVariable, so the variable would be the key id for the search for the file on disk, but each user can only access their own key, and such validation rule has to be done in the backend.
for example:
/doc/215425245354
spring-security will validate the access to /doc/** and the key you implement the validation if it matches the user's file or not, in order to not let him access a file of another user.
I hope I was able to give you some direction. :)
I need to check the uploaded videos on a YouTube Channel and then upload missing videos via a CRON JOB.
I first thing I tried was the REST API and the server response with the endpoint was moved.
The problem I ran into with the PHP Google API Client is that it requires the user to authorize the token.
I now tried using the Python Code, but it also requires a authorize session. Also when creating the OAuth 2.0 client ID we are suppose to use OTHER. And there is no OTHER.
Python quickstart
Any Ideas? This has been really frustrating as there does not seem to be a lot of examples other than the ones Google provides. I also could not find a rest equivalent. I do not care if the solution is python or Rest or PHP client. I just need a user less CRON job doing the work.
What you need to consider is that there are two types of data public data and private data.
Public data is not owned by any user. Videos on YouTube for example for the most part are publicly available and do not require authorization to access. On the other had private data is data that is owned by a user.
In order to access public data you just need an api key to identify your application, however in order to access private user data you need the permission of the user who owns the account in question.
In order to upload to a users account (yes even your own) you need to be authenticated there for you will need to use Oauth2 yes even if you are using a cron job you still need to be authenticated there is no way around this. There for you will need to create Oauth2 credentials.
What i recommend you do is. Authorize your code once your your local machine store the refresh token and use the refresh token to request a new access token when ever your cron job needs access. I recomend you give that a try and if you have any issues create a new question include your code and a description of the problem you are having.
This is your only option with the YouTube API.
Is it possible to disable requests sent to Parse without a master key? I'd like to only access Parse through my custom backend and not give users direct access. Does public 'read' set on the User class mean that anyone can read the records in that class? If so, why is this a default - wouldn't that be against good security practices?
Thanks,
Daniel
Public read means that anyone with your api key can read the user collection from your parse server. Api key is not the best approach to protect your app because anybody can know it by putting "sniffing" your network requests.
In order to protect and provide access you can protect your objects with ACL's which allows you to create access for specific user (who is logged in) or to specific role. So you have couple of options:
Create a master user - each user must have username and password and when you create your parse objects make sure that only this specific user create/read/delete and update them. You must only to make sure that when you create an object you create ACL for this user so only this user will be able to modify and read the object. You can read more about parse-server security and ACL's in here: http://docs.parseplatform.org/rest/guide/#security
Using parse cloud code - In cloud code there is a nice feature of useMasterKey which provide full access to any object of parse-server so for each operation that you run (via JS SDK) you can also set the useMasterKey to true and then parse-server will ignore all the ACL's and will execute the query for you. The useMasterKey feature work only in cloud code context so it's safe. If you want to provide additional level of security you can run the cloud code function with your master user (from section 1) and check inside the cloud code for the user session so if the session is empty then you can return an error.
You can read more about cloud code in here: http://docs.parseplatform.org/cloudcode/guide/
This is the code which validate the user session:
if (!request.user || !request.user.get("sessionToken")) {
response.error("only logged in users are allowed to use this service");
return;
}
I'm using the roo library to run a sort of program with Google Spreadsheet as a database of sorts.
It's only intended for my use, but if anyone else wants to try and use it they need to log in with their Google account (username and password). In putting simple gets functions I'm aware people may be hesitant to do this, and in the response upon login I've noticed access tokens can be used instead:
oo = Roo::Google.new(sheetkey, user: GOOGLE_MAIL, password: G> =>
#<Roo::Google:0x3429798 #filename="**the Google spreadsheet key**",
#user="myemailaddress#gmail.com\n", #password="*SECRET!*\n", #access_token=nil ,
...
Could I/should I use an access token in this case? I've not done something with an API in this way before but have made maps with Google Maps which I think used an access token to allow a greater number of calls to the API... Would this simplify matters for me or have I got the wrong end of the stick?
Would giving out an access token allow people into my account i.e. have my permissions on Google Drive (clearly not what I want)?
I've set the document in question to public and it says "does not require sign in to view" but I understand that this might not hold for programs accessing the API.
Access Tokens: Yes, if you want others to be able to use code to access your spreadsheet, you can give them an access token. This will mean they can only access your spreadsheets (access is defined in the scope).
I assume your plan is to make the code public.
issues:
A) You will need both the access token and refresh token, as access tokens quickly expire, maybe after 1 hour (not sure).
B) I would create a 2nd Google account, that way they can't access all your spreadsheets.
Example OAuth code: Have a look at DrEdit for some example code that uses access tokens.
Note: Google-apps-script might be another option, simpler to use than google-spreadsheet-api