Wonderful app, but no form of closure/security

Question

Wonderful app, but no form of closure/security

iambenkay opened this issue 5 years ago · 11 comments

Would be great if there was a way to secure my own data/box.

I saw in the source code db.json had something like that:
_createdBy and _updatedBy but nothing backs it up in the logic.

Answer 1 · 2019-09-21T03:49:24.000Z

@iambenkay Adding authentication is definitely part of the road map. Will soon add them.

Answer 2 · 2019-09-21T15:06:08.000Z

I mean, can't you just keep the UUID secret?

Answer 3 · 2019-09-21T15:31:27.000Z

@ExpDev07 that doesn't still make it secure

Answer 4 · 2019-09-21T17:00:40.000Z

@ExpDev07 You mean the box id? It is random but that can't be secured. We need to add one more level of authentication for it to be secured.

Answer 5 · 2019-09-21T17:21:18.000Z

@ExpDev07 You mean the box id? It is random but that can't be secured. We need to add one more level of authentication for it to be secured.

I guess you're right, but surely, if you generate a key like:

https://jsonbox.io/mybox_key_82u3r8dusd8us0dfus9duf083uf0ujsoidjf903u_d09suf98uwfwf

The box won't be accessed by anyone else granted you keep the key secret, and that can almost be guaranteed. I guess the issue here is if you need to generate a new key because somebody found it out, and doing so would make you lose your box.

Answer 6 · 2019-09-21T23:04:58.000Z

@ExpDev07 precisely my point. If you lose the key you have lost a lot of data

Answer 7 · 2019-09-22T16:31:29.000Z

Also a form of origin specificity would help with light apps that don't have a backend: ideally we could specify authorized request origins (like for Google API Keys) in order to "securely" handle data from the website (frontend only websites will have to disclose the UUIDs)

Answer 8 · 2019-09-22T16:45:32.000Z

I still feel have that given

box id being a long random string
box id is not discoverable by others through the API
The security of a given box is well defined, and adequate. Guessing your box id has the same chance as guessing your API key.

About comments of loosing box id, won't the problem be exactly the same, if you lose the API key for your box?

Answer 9 · 2019-09-22T17:01:59.000Z

About comments of loosing box id, won't the problem be exactly the same, if you lose the API key for your box?

Good point. Maybe if you hook the box up with your email through a jsonbox dashboard, and can have boxes connected to your account, token administration could be done that way -- however, now jsonbox is no longer just a lightweight software as this adds a bunch of complexity.

I do agree that, as long as you write down the BOX's id, and that it's long and unique enough, it is technically secure.

Answer 10 · 2019-10-15T14:43:14.000Z

You can solve the problem of old unused data by just clearing out unused boxes over a period of time.

Answer 11 · 2019-10-18T06:13:02.000Z

Encrypt your data, keep the key secure. It's probably the best solution if you're in dire need of a temporary security solution.