Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
Daddy Posted July 23, 2023 Posted July 23, 2023 I'm opening up our OAuth to securely authenticate users and download files remotely from the site. In doing so, we have to store their OAuth access token locally. The problem is with the /downloads/files/{id}/download scope exposing the FQDN of the file itself. That's a bit of an issue since the FQND of the file never changes and anyone with the URL can download, regardless if they have access to it or not. The issue we're facing is the fact the user can get ahold of their token if they tried hard enough. That means they can run their own API call to fetch the FQND of any file they have access to. That's a bit dangerous. Sure it's no different than them just leaking the file itself, but at least we have logs of their download and can track it. Downloading the file with the FQND isn't logged. Any suggestions? PS: In our application, all of the API calls are made via our webserver using web requests instead of direct calls. The hope there is to help prevent users from attempting to recreate the same calls with their token. Problem is, the API for Rest is public on IPS so the user can easily recreate them anyways.
Recommended Posts