Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Different approach to authentication #29

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Conversation

v4lli
Copy link

@v4lli v4lli commented Apr 10, 2012

Hi there,
I've been using Scrup for a few weeks now and have fallen in love with it, but the authentication-thing has also been bugging me.

I understand that transmitting a secret key together with an upload request over an insecure connection is not "secure" either (as you mentioned in the PR of 16a2da6), but there are a few points to this change:

  • Any authentication is better than none at all
  • SSL solves this problem
  • Although possibly insecure over-the-cable, it prevents malicious users from uploading anything to your server
  • The "default" can still be the simple method that does not require a key

So, I took the freedom of forking your code and came up with this:
New 'Secret' input field
Warning dialog on insecure connections

I've also thought about enforcing the use of HTTPS if the secret is set (as you suggested), but I came to the conclusion that this may be limiting pro-users.

I tried to keep it simple, please let me know what you think! I'd really like to see such a feature in Scrup, but probably don't have the experience to properly maintain a fork for long. :o

Also, please be gentle with my Objective-C, it's not exactly my every-other-day language. :-)

v4lli added 6 commits April 10, 2012 16:32
Also remove some obsolete build parameters (suggested by XCode)
This adds a new NSTextfield for a "secret key" which is sent with the
image's upload request.
OpenSSL is used to base64-encode the token, as a HTTP Header needs to be
7Bit ASCII clean, as per RFC1945.
Use the $_SERVER array to get to the HTTP-Request-Header data.
This may be usefull to people with a self-signed SSL certificate, which
they themselves have marked as valid, but other people receiving the link might
not.
The user may choose to re-edit the URL or ignore the error, for ever
(saved to NSUserDefaults).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant