Closed x-ji closed 6 years ago
Or maybe this is just not an important aspect for this project, since the JSON data might come in all forms and shapes that one might not easily be able to make sense of. But in my case the data will all be in a uniform format, that's why I'm a bit worried.
Hey @x-ji, great question, thanks for sharing your concerns. To summarize, you're asking how can users be sure I won't access the data they store on jsonstore.io.
The short answer is: They can't.
Same as you can't be sure mLabs is unable to access data you store on their MongoDB service, or that Amazon is unable to access data you store on S3, with the "slight" difference that you'd rather trust a well established company than a random guy on the internet.
However, jsonstore.io was not designed for storing sensitive data. It was designed to be a quick solution for storing casual data for open source, demo apps and small projects, like a Todo app or a small service. I started this project after I struggled with searching for a simillar solution for storing simple stats and metrics for TravisBuddy, which is another open source project I'm maintaining. All I needed was a quick solution to store some numbers, and I ended up registering to mLabs and looking for the simplest Mongo client for Node. If I had jsonstore.io back then, I could've just pick up an endpoint and start posting data.
That said, you could also encrypt your own sensitive data before storing it on jsonstore.io, and I'm thinking about making an encrypted client, where you could provide your own encryption seed and it will automatically encrypt all your keys and values and post them to jsonstore.io.
Hopefully that answers your question, let me know otherwise. :)
That makes sense. Thanks for the answer.
Not a negative comment. It's just that it happens that I've been working on a project with a similar aspect recently, i.e. it might need to store some data submitted by different users, which they should be able to retrieve later via a publicly available user interface, identifying themselves.
Making sure that nobody is able to retrieve the data from other users is easy, e.g. with a login mechanism or simply with a long string as I've seen in your example usage. However, how do you assure the users that you, the service host, don't look into their data. Is there some sort of encryption mechanism so that only the users who have a private key for themselves will be able to decode the data they send to the service? Sorry if this is obvious from the source code. I haven't been able to identify such a mechanism from a glance at the project documentation etc. If the users can't be sure that their data stays private, they might have some doubts on using the service? This is also my concern on my project, thus I am curious about how you solve this issue. Thanks!