Hacker News new | ask | show | jobs
by ww520 5121 days ago
I've looked at the client-side cloud API from time to time and I'm never comfortable with embedding my key/secret credential in the Javascript code. Anyone having access to the client code in the browser, which is everyone, will have access to my secret credential.

If anyone has an idea to deal with this, please elaborate.
2 comments
joffreyf 5118 days ago
Hi, I'm one of the developers who's been working on this project at dotCloud, and more specifically on the twitter service. The example you're citing shows what I figured was the shortest way to try out the twitter API integration. And you're absolutely right for saying that as soon as your app goes public, it sucks.

This is why this call only has to be made one time ; the key and secret are then securely persisted into the database and the consumer secret can be ommitted in all subsequent calls. Alternatively, we also provide an API endpoint that you can just curl to provide the consumer key/secret. Our "detailed" documentation (http://js.dotcloud.com/doc.html#c4) is more thorough on that matter.

Hope that answers your question!

Edit: sorry for the late response, happened to be out of town for the last three days. Bad timing. :(

link
clintjhill 5121 days ago
I've thought about this too. For me it's a matter of what somebody really "gets" with those keys. If I'm compromised by someone whose taken my keys and programmed a script against my service are they stealing anything? Well if I've applied some form of ACL and provided some secondary authentication against data they shouldn't be able to query I should be Ok.

Likewise with user accounts. If they take my keys, and somehow get someones password they'd have the same access they would otherwise have through the GUI. If I put user passwords into the code, well yeah that's totally bad on me.

I don't know. I'm not a security expert, however I've not been able to catch a problem with this. I'd love to know better.

link
joffreyf 5118 days ago
I guess one of the most basic problems that could occur is someone using your keys to make unauthenticated requests and exhaust your rate limit.
link