Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different approach to authentication #29

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Different approach to authentication #29

wants to merge 6 commits into from

Conversation

v4lli
Copy link

@v4lli v4lli commented Apr 10, 2012

Hi there,
I've been using Scrup for a few weeks now and have fallen in love with it, but the authentication-thing has also been bugging me.

I understand that transmitting a secret key together with an upload request over an insecure connection is not "secure" either (as you mentioned in the PR of 16a2da6), but there are a few points to this change:

  • Any authentication is better than none at all
  • SSL solves this problem
  • Although possibly insecure over-the-cable, it prevents malicious users from uploading anything to your server
  • The "default" can still be the simple method that does not require a key

So, I took the freedom of forking your code and came up with this:
New 'Secret' input field
Warning dialog on insecure connections

I've also thought about enforcing the use of HTTPS if the secret is set (as you suggested), but I came to the conclusion that this may be limiting pro-users.

I tried to keep it simple, please let me know what you think! I'd really like to see such a feature in Scrup, but probably don't have the experience to properly maintain a fork for long. :o

Also, please be gentle with my Objective-C, it's not exactly my every-other-day language. :-)

@v4lli
Update XCode Project to Mac OS 10.7 and XCode 4.3.2
8eaeb40 
Also remove some obsolete build parameters (suggested by XCode)
@v4lli
Send base64 encoded security token in the HTTP-Header
2ef2929 
This adds a new NSTextfield for a "secret key" which is sent with the
image's upload request.
OpenSSL is used to base64-encode the token, as a HTTP Header needs to be
7Bit ASCII clean, as per RFC1945.
@v4lli
Make recv.php check for the secret
016353b 
Use the $_SERVER array to get to the HTTP-Request-Header data.
@v4lli
Save the secret to the dictionary so it doesn't get lost on restarts
682a0f9
@v4lli
Make it possible to return the http-link over HTTPS
4ebc064 
This may be usefull to people with a self-signed SSL certificate, which
they themselves have marked as valid, but other people receiving the link might
not.
@v4lli
Warn user about the security issue when using HTTP + Auth
837d0db 
The user may choose to re-edit the URL or ignore the error, for ever
(saved to NSUserDefaults).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@v4lli