mdekermadec
commented
8 years ago This is a good idea, but setting up this service may generate a lot of query on our side.
Maybe if we create a "Pro account" we could create this kind of services.
Open RoboKopf opened 8 years ago
mdekermadec
commented
8 years ago This is a good idea, but setting up this service may generate a lot of query on our side.
Maybe if we create a "Pro account" we could create this kind of services.
RoboKopf
commented
8 years ago The number of queries could be reduced to one per app installation. I'm not suggesting to query your server with each page request. Once would be enough because I'm already keeping a database record for each app installation; I would just store the results of the validity check there. I'd be willing to pay for this service, but I don't think it would cost you much in server load if used in this way.
AIMMOTH
commented
7 years ago Question, I used app.helper.ajax() to POST my server in order to get the AppDeck-User-ID but there was no such header. How do I get the ID?
Is there a easier way of getting the ID, like an AppDeck API call?
Edit: Or is this only a problem when previewing the App in AppDeck? Do I need to use a published app to get the id?
I was thinking about the AppDeck-User-ID header and would like to ask a question about it and make a suggestion. First, for context, I'm going to paste in part of an email conversation I had with Mathieu about this. He wrote:
"Your app is directly connected to your server, AppDeck-User-ID header is generated on the phone via IDFA on iOS and ANDROID_ID on Android and is directly send by the phone to your server on each HTTP Request.
The header is also sent to AppDeck Cloud Services server in another independent request for Push Notification purpose."
I do not want to serve the same page to both my app and a browser. I want to serve app pages only from within my app, and not otherwise. Here is an example of how I handle this in my .htaccess file:
// Rewrite urls based on whether request is coming from inside the app: RewriteCond %{HTTP:Appdeck-User-Id} !="" RewriteRule ^help.php$ /app-help.php [L] // If request is NOT coming from within the app, deny that the requested app-only page exists: RewriteCond %{HTTP:Appdeck-User-Id} ="" RewriteRule ^app-help.php$ /404.php [L]
In short, this only checks to see if the Appdeck-User-Id header has a value or not, and serves the app-only version of the help page when it does have a value (meaning that the request is coming from the app). If a request comes in for the app-only page that doesn't have the Appdeck-User-Id header set, the 404 page is served. So far so good.
My question: what is to stop someone from making a request to my server and spoofing the AppDeck-User-ID header? My server-side code would not be able to tell that this request is not coming from my app, and would serve the app-only page.
In order to prevent this, I'd like to request you to set up a RESTful appdeck user id validation service. You would allow my server to query your server with a user id, and your server would respond with a simple confirmation that the user id is valid (perhaps it could return the timestamp of the user id's first use, or null otherwise). My server could authenticate itself to your service using my app's API key/secret.
(For further protection against impersonation via spoofed Appdeck-user-id header, I could set my app to run only the https version of my site, which should mean that the headers are all encrypted and that the appdeck user id could not be intercepted by a third party.)
This validation service should be easy for you to set up and would add value to your product. If I'm misunderstanding something or there are problems with the validation service idea, please let me know!
Anyone else interested in something like this or have ideas about how best to achieve it?