I am developing a chrome application for storing encrypted user files. It uses Dropbox as a backend cloud storage file system. For simplicity the user logs in to the app using OAuth2 protocol of Dropbox API. Now for logging out the user I used the /disable_access_token as mentioned on the API page. This revokes the access_token but does not completely logs out the user because the next time I launch the app and click on login the app does not prompts for user credentials hence automatically logging in the previous/same user again.
Same question was asked at this link: Deauthentication through Dropbox JSON API (webhooks) but I did not get a satisfactory working answer over there and because of low reputation points currently could not even comment there.
EDIT: I tried removing all cookies set from the domains of dropbox.com as well.
Related
I am currently evaluating the security risks for an electron app I am working on, with regards to whether it is possible to copy a file, or bunch of files stored on the user’s hard drive by electron, and just paste them into another installation on another machine and thus automatically be logged into the application using the session of the user who was logged in on the first machine. We use token auth in our app.
I noticed that electron stores its cache in a particular folder as mentioned here How to clear the cache data in Electron(atom shell)?.
Among those files I noticed a 'Cookies' file which seems to be an sqliteDB. When you open this with an sqlite db reader you can view the cookie data as plain text. However this doesn’t seem to contain the auth cookie of the currently logged in user.
Hence some of the questions I’m hoping to get answers to are:
When we log a user in the user’s auth token is stored in a cookie. Is this cookie stored in a particular file on the hard drive by electron which can be copied into another machine to spoof/hijack a user’s session?
If the answer to question 1 is yes is there a way to prevent this?
I am not a pro on security, so forgive me if I've gotten some security terminology wrong.
I created a Chrome extension which is just HTML/CSS/JavaScript. When the user clicks on a button, I have it send a message to me. But the problem is I don't want to include any API keys or server information where the app can POST to as it can be used for abuse if someone was to extract this information from my Chrome app. Is there a method of getting a response from a web app with a public service where anyone can post to? I was thinking pastebin, but even that requires an API key.
You could ask the user to create their own key. For example, many GitHub extensions require an API key to make requests to the GitHub API, so what they do is they send you to a GitHub settings page where you can create a personal API key.
I have a Hapi backend for my website where on the front-end, a user logs in on my website using his Google account and then I do the usual process of sending the id_token to the server to decrypt and verify his Sub field to authorize the user.
The problem arises when the user logs out of Gmail or Google apps on some other tab or window, the user is logged out of my website by Google on the front end and I am unable to control or know it (at the backend).
This renders my session maintenance useless at the server as the user is forcibly logged out on the front end.
I saw that Stack Overflow has (obviously) taken care of this and even when I log out of my Gmail, I still stay logged in on SO. This is exactly what I want for my app wherein I am able to control the session at the client-side even when he or she logs out. What do I need to do?
I'm building a web application that allows a specific user to upload videos to a YouTube account through the use of the YouTube API. The uploading of videos will be done by only one person & videos will be uploaded only to one account. If the YouTube account is already authorized by the app to manage the channel etc, how can I setup the application in such a way that the user bypasses the authentication/login screen every time he/she needs to upload a video? (That is when the user exits and re-enters application.)
While reading, a solution I stumbled upon a solution which was to use a refresh token but I don't know how to integrate it with the code I have currently. The code I'm using is the one available on the Google Developers site, link below.
https://developers.google.com/youtube/v3/code_samples/javascript#upload-a-video
Please note that I've gone through & read all similar questions on this forum but none provides Javascript help/solution.
Normally i would say that you should use a service account which would allow you to preauthorize the access to YouTube. However the YouTube API does not support service accounts so your going to have to do it the hard way.
You will need to authenticate your application once and save the refresh token. Then you will be able to use the refresh token again later to get a new access token. You will have to watch this application refresh tokens can expire its rare but it can happen so you should have something set up that will allow you to quickly reauthenticate it and save a new refresh token.
To my knowledge it is not possible to get a refresh token with JavaScript your going to have to use a server sided language like node.js for example. This tutorial should show you how to get offline access with node js. Node.js Quickstart
A few web-based applications I maintain have been using JavaScript on the page to fetch posts from Instagram* through their API, only authenticating with a client_id. With the Instagram API changes recently (applications are sandboxed until approved) this no longer works.
Is this kind of application allowed by Instagram? Or is it considered a security risk to expose the client_id in the Javascript that performs the request? If it matters, the application is for internal use by a few employees only.
* Specifically, the 10 last posts from a fixed user.
All instagram API endpoints now require a valid access_token rather than client_id. The search endpoint is an example of one that didn't previously require an access_token. You can find this in the Change logs
All API endpoints require a valid access_token
All API endpoints require a specific permission scope granted by the user
You can authorise your own account and grab the last 20 posts, but for any more than that you will need to submit your app for review
Try to create a new app.. My app was deleted instead of going to sandbox mode.
As you need 10 last posts, this should work on sandbox mode.
Content Display for Personal Website. If you are a developer and you want to showcase Instagram content on a website, then you do not need to submit your app for review. By using a client in sandbox mode, you will still be able to access the last 20 media of any sandbox user that grants you permission.