Wonderful app, but no form of closure/security
iambenkay opened this issue · 11 comments
Would be great if there was a way to secure my own data/box.
I saw in the source code db.json
had something like that:
_createdBy
and _updatedBy
but nothing backs it up in the logic.
@iambenkay Adding authentication is definitely part of the road map. Will soon add them.
I mean, can't you just keep the UUID secret?
@ExpDev07 You mean the box id
? It is random but that can't be secured. We need to add one more level of authentication for it to be secured.
@ExpDev07 You mean the
box id
? It is random but that can't be secured. We need to add one more level of authentication for it to be secured.
I guess you're right, but surely, if you generate a key like:
https://jsonbox.io/mybox_key_82u3r8dusd8us0dfus9duf083uf0ujsoidjf903u_d09suf98uwfwf
The box won't be accessed by anyone else granted you keep the key secret, and that can almost be guaranteed. I guess the issue here is if you need to generate a new key because somebody found it out, and doing so would make you lose your box.
Also a form of origin specificity would help with light apps that don't have a backend: ideally we could specify authorized request origins (like for Google API Keys) in order to "securely" handle data from the website (frontend only websites will have to disclose the UUIDs)
I still feel have that given
box id
being a long random stringbox id
is not discoverable by others through the API
The security of a given box is well defined, and adequate. Guessing yourbox id
has the same chance as guessing your API key.
About comments of loosing box id, won't the problem be exactly the same, if you lose the API key for your box?
About comments of loosing box id, won't the problem be exactly the same, if you lose the API key for your box?
Good point. Maybe if you hook the box up with your email through a jsonbox dashboard, and can have boxes connected to your account, token administration could be done that way -- however, now jsonbox is no longer just a lightweight software as this adds a bunch of complexity.
I do agree that, as long as you write down the BOX's id, and that it's long and unique enough, it is technically secure.
You can solve the problem of old unused data by just clearing out unused boxes over a period of time.
Encrypt your data, keep the key secure. It's probably the best solution if you're in dire need of a temporary security solution.