search

anadius / gd-efc

Google Drive - encrypted folder copy
https://anadius.github.io/gd-efc/
383 stars 176 forks source link

Umm... can't use own oauth because it's obf in main js? #9

Closed bm92aWJldnJvcw closed 3 years ago

bm92aWJldnJvcw commented 3 years ago

Hello, I wanted to know that why the client and refresh thing is obfuscated into main js... I mean I don't have a problem with that but then we can't setup own oauth into it? And would there be any limit of requests to your oauth? I'm not too much into coding so, sorry if I said anything meaning less.

btw it would have been great if the code was not obfuscated from source, instead just some steps to obfuscate before hosting it so that keys don't get leaked... maybe ¿?

anadius commented 3 years ago

I didn't obfuscate the main.js file to protect the credentials, I did it to protect the code itself from being copied without giving proper credits. I'm using credentials from rclone, they are not a secret. And the limits are pretty high. If you use credentials from your own app then at most 100 people will be able to use it unless you verify your app.

I could add a simple override in HTML page like I already did with showBuilder and encryptedIdPrefix. But your credentials will be stored as a plain text.

If you want to use those credentials just for yourself I could add that feature. Two input fields for client ID and client secret - visible only when you're not logged in.

bm92aWJldnJvcw commented 3 years ago

I think I can just obfuscate own id secret and paste into the code? that way it won't be plain text? I will verify the app to increase the limits, I guess.

anadius commented 3 years ago

No matter how you obfuscate them people will still be able to read them, one way or another.

If I implement it as a set of variables in index.html someone can simply open the browser console and type the names of those variables to get the values. If I implement it as a function and for example you call setCredentials(clientId, clientSecret); - someone can just open the browser console, type function setCredentials(a,b){console.log(a,b);} and re-run your obfuscated code. That's how easy it is to get the credentials. I can still do it, but it won't be secure.

If you want it to be secure you'd have to keep the client secret on your server and do all the authentication on your server. That requires changing even more code.

bm92aWJldnJvcw commented 3 years ago

No matter how you obfuscate them people will still be able to read them, one way or another.

If I implement it as a set of variables in index.html someone can simply open the browser console and type the names of those variables to get the values. If I implement it as a function and for example you call setCredentials(clientId, clientSecret); - someone can just open the browser console, type function setCredentials(a,b){console.log(a,b);} and re-run your obfuscated code. That's how easy it is to get the credentials. I can still do it, but it won't be secure.

If you want it to be secure you'd have to keep the client secret on your server and do all the authentication on your server. That requires changing even more code.

well then... it looks like I will have to stick with rclone's default oauth. Thanks anyways for the information.

anadius commented 3 years ago

Implemented in ac0244cdc7d940f41f75bba959140d131c6a898a, both overriding the default rclone credentials in index.html and in user selection modal.