Personal token in repository
Closed this issue · 11 comments
Hi,
I'm a sysadmin from https://play.dogmazic.net
Look like you shared your personnal token on this repo, and user from all over the world are using them to connect to our Ampache instead of using their own account. Right here :
Power-Ampache-2/secretsnot.properties
Line 6 in db4cc6f
We had some concern about a security issue, but when I saw the user_agent I remembered about your project... and bingo!
Did you planned to share them or is it an error?
If you want to have a "built in" access to our instance, this is something we could talk about.
BR
hello,
that account is meant to be used as a "demo" instance, since the official demo server is very small. The user is supposed to use that hardcoded account to evaluate the app. When you open the login screen there's this "Dogmazic demo" button at the bottom, along with regular login buttons. If I'm violating any terms from your service please let me know and I'll fix or remove that button.
This said, I'm open to a collaboration with you and your team. Let me know what you have in mind.
Thanks
We are OK with it as long as our server can handle it ;)
But it would be great to do it together so we ensure all is fine for all our users.
Few things I have right now in mind, without giving it a lot of tough:
- specific
- using a explicit user (something like "power-ampache2-demo"?)
- is there any way to have only the token in the app (to prevent people to connect to the demo account and change parameters)? I'm not Ampache expert, but I think I could create you a Stream token without security issue and it would be exactly what you need.
- general
- adding app info in the user-agent (to allow sysadmin to know what's happening)
- on Dogmazic side
- ensuring no ban or blacklist of the user
- remove/reset rating from the user
- prevent any preferences edit?
- prevent password change?
I saw your application a few month ago but never took the time to test it. Just did, it's great! Good job!
We are OK with it as long as our server can handle it ;)
It's supposed to be just an evaluation demo, I hope people won't abuse it, given the fact they can get a free account easily.
using a explicit user (something like "power-ampache2-demo"?)
Not a problem, I will make the change in the next release. The non-human name and email was just to keep some privacy initially, not necessary anymore.
is there any way to have only the token in the app (to prevent people to connect to the demo account and change parameters)?
There is a problem with the Ampache backend, that the devs are fixing right now, where when you loging with a token, the request to get the User object doesn't return the data I need for the app to function properly, that's why for now token-login is disabled. But it is a possibility, once ready, and once Dogmazic updates to the updated server once the patch is up.
adding app info in the user-agent (to allow sysadmin to know what's happening)
I will look into that as well, but I suppose the username would be enough?
on Dogmazic side
I think would be nice to allow the user to do everything, so they can test the app features, and if possible run a user-reset once a day? I know it's a lot to ask, let me know if that's possible.
I saw your application a few month ago but never took the time to test it. Just did, it's great! Good job!
Thanks!
Additionally I can add the possibility for user to login into Dogmazic without having to insert the Dogmazic server url.
Right now when you click on "Dogmazic Server" you're going to login automatically with the demo user. Instead of that, I'll show a dialog that will look like this wireframe:
Hello, thank you for replying to my PM in play.dogmazic.net ! I'm now totally useless, Fufroma is handling the rest.
We had online discussions earlier today with our president and Fufroma, mainly, while other volunteers nevertheless talked a bit.
A nice thing for you to hear is that we would be happy to prominently promote the use of your app in the "mobile apps" popup on our landing page https://www.dogmazic.net ; since it's probably the most lovely Ampache client available. We hope it will be on Play Store soon, so we can direct users towards your application stating they can find it on F-Droid and Play Store at their convenience.
Great job
No problem, thank you!
This is the link for app sore listing on FDroid. (Note that Fdroid releases are usually a few days behind Github releases due to FDroid slow build process).
https://f-droid.org/packages/luci.sixsixsix.powerampache2.fdroid/
The PlayStore version will be available in about a month, max 2 months, since I have higher priorities right now (widget, multi-user, advanced settings, etc...).
Fdroid and Github releases will be always updated.
All places where releases are currently available:
using a explicit user (something like "power-ampache2-demo"?)
Not a problem, I will make the change in the next release. The non-human name and email was just to keep some privacy initially, not necessary anymore.
Perfect!
is there any way to have only the token in the app (to prevent people to connect to the demo account and change parameters)?
There is a problem with the Ampache backend, that the devs are fixing right now, where when you loging with a token, the request to get the User object doesn't return the data I need for the app to function properly, that's why for now token-login is disabled. But it is a possibility, once ready, and once Dogmazic updates to the updated server once the patch is up.
Ok. I'll keep an eye on https://github.com/ampache/ampache/issues?q=author%3Aicefields . Usually I update Ampache the same day of the release, I'll keep you informed.
adding app info in the user-agent (to allow sysadmin to know what's happening)
I will look into that as well, but I suppose the username would be enough?
I was thinking about log like
1.2.3.4 - - [26/May/2024:10:18:27 +0200] "GET /server/json.server.php?action=user&auth=XXXXX&username=XXXX HTTP/1.1" 200 1321 "-" "okhttp/5.0.0-alpha.9"
Having something like "PowerAmpache2_1.0.55" instead of "okhttp/5.0.0-alpha.9" would be usefull to understand request.
on Dogmazic side
I think would be nice to allow the user to do everything, so they can test the app features, and if possible run a user-reset once a day? I know it's a lot to ask, let me know if that's possible.
Good idea! I'll have a look at it, I have no idea what to reset right now but we can do that :)
Additionally I can add the possibility for user to login into Dogmazic without having to insert the Dogmazic server url. Right now when you click on "Dogmazic Server" you're going to login automatically with the demo user. Instead of that, I'll show a dialog that will look like this wireframe
That would be great!
- About the user, do I need to register a new one or can you just change the username?
- Ok for the user agent, I'll look into it today.
- Daily user reset: You'll have to reset likes, playlists created by that user, ratings, at the very least. Leave recents, so at least that row stays populated for new demo users.
Is there a way I can contact you directly? I have telegram and mastodon links in the readme, or I can reach you on other messengers. Let me know.
here's the new Release,
https://github.com/icefields/Power-Ampache-2/releases/tag/v1.00-57
It includes the Dogmazic release as well ( PowerAmpache2-v1.00-57-PlayFree-release.apk ), more details in the emails I sent you.
Thanks.
There is a problem with the Ampache backend, that the devs are fixing right now
Could we list the related issue in Ampache? 6.5.0 look like it gonna be released soon, but I'm not sure that the needed patch will be included.
Could we list the related issue in Ampache? 6.5.0 look like it gonna be released soon, but I'm not sure that the needed patch will be included.
It's listed already and they worked on it recently. I just need to test and integrate in the app.
I think it's fixed in PowerAmpache2-1.00-60-free