Closed joebeem closed 7 years ago
There is no way to verify the code being published is the code being used and there is no way for a client to know that server wasnt breached. That's why an intermediate server is a bad idea (again). I realize that is the quickest way to get up and running and maybe short term but the auth really needs to be moved to the client.
You are more than welcome to open a new issue, proposing that we bring authentication to the client side, or do it yourself and submit a PR. But were pulling the cart before the horse, in fact the horse has yet to be born.
@shadycuz I get that.
Sent this.
Hi.
We seemed to have located and fixed the problematic code, and with regard to the missing project owner, the community would like to fork the project and host the authenticator proxy (not using the current appspot proxy).
We would like to grant access to the ACD API so that we can do it. Thanks.
@hjone72 Looks like getting acdcli back up is going to take someone volunteering a good security id and secret. Plugging that into acdcli in a proxy-less way seems very straightforward, with the caveat that the actual owner of that key will now be the front person for all interactions with amazon in relation to that key.
You do know yadadada is back?
On May 17, 2017 3:54 PM, "bgemmill" notifications@github.com wrote:
@hjone72 https://github.com/hjone72 Looks like getting acdcli back up is going to take someone volunteering a good security id and secret. Plugging that into acdcli in a proxy-less way seems very straightforward, with the caveat that the actual owner of that key will now be the front person for all interactions with amazon in relation to that key.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bgemmill/acd_cli/issues/1#issuecomment-302213667, or mute the thread https://github.com/notifications/unsubscribe-auth/AQTJt4I7QGpAEEXJgarNdUxPfm996xdxks5r61B0gaJpZM4NdIK0 .
@bgemmill, Happy to help however I can. If I were to give someone my security profile, i'd prefer it not be publicly knowledge though.
@hjone72 It's not publicly identifying if that's the concern, it's more that Amazon would know it was yours. Understandable if you want to keep it private; I'm pretty sure that's how we ended up with a proxy in the first place.
I wouldn't mind being the front person since I'm a maintainer, but my security profile isn't white-listed.
@shadycuz until the problem is fixed, it's not fixed :-)
@bgemmill, I've actually got 3 whitelisted profiles. Happy to help out with this 😄
@hjone72 that would be really great. We all would really appreciate it.
Very off topic, but noticed you own PlexAuth repo...awesome app.
@joebeem, Thanks! 😄
I've been in contact with @bgemmill and support his decision with how the keys should be handled moving forward.
I saw someone mention extracting tokens from the desktop apps in one of the various issues/pr/threads and thought it sounded like a fun project.
This gist is a proof of concept of decrypting the refresh-token the Amazon Drive app saves to disk and using it to request a bearer token.
I've only tested it on OS X but I assume the other versions would work the same - why use Xamarin if it's not going to at least be the same?
I haven't modified acd_cli to accept this token (assuming the token even works without additional hoops to jump through) but thought I'd stick it up here in case anyone else wants to play with it.
@cs2dsb great way to get your account banned. Good luck!
@calisro because it's against some T&C or just a guess?
@cs2dsb extracting and using someone else's tokens? Just an educated guess that Amazon might not appreciate that.
@calisro could well be. But the token is issued to me to upload my files to my account and that's all I can do with them, it makes no appreciable difference to them as long as I'm not sharing the tokens around and uploading petabytes of trash - and if I wanted to do that there's nothing to stop me installing their app a bunch of times in different places. It's obviously a grey area and I'm willing to take the risk because without acd_cli my backup will never finish and the data I've got in there will be trash :). I might test the water by trying to publish an app through their store that just keeps an oauth token current on your machine for uploading files via curl or whatever. Edit: I didn't realise app submissions were currently closed to new developers. Oh well :(
You won't be using Rclones method of auth... https://twitter.com/njcw/status/865846847264497664
He has to switch to an auth service just like acd_cli uses.
For those still following this ticket, I have an auth proxy server up and running. Before that goes live I'm checking with @yadayada to see if he's going to do a more official one. We don't want to fragment into two auth systems.
I'm still having strange issues, but I will be able to tell whether my profiles work on Google's Compute Engine by tomorrow.
Yadayada's version is back, and I'm working on property recovery before this fork goes live again.
I am a former user of the old repo and needless to say was very upset (as were the rest of us) to learn about what had transpired over this past weekend.
Given that it seems that the owner of this github is basically taking ownership of the issue and seems to be willing to help out and/or attempt fixing the issue in the event amazon replies, I was wondering if there is a place we can donate funds for the time and effort?
I certainly appreciate anyone's assistance in getting this project running again and I am willing to bet that others would gladly be willing to donate as well.
This also applies to the original repo of acd_cli if the owner reappears or contributes to the fix. Sorry for opening an issue for this, feel free to remove. Since I am unfortunately not advanced enough in programming, I would just like to help out anyway possible.
Thanks.