search

uploadcare / uploadcare-java

Java API client that handles uploads and further operations with files by wrapping Uploadcare Upload and REST APIs.
https://uploadcare.com
Apache License 2.0
5 stars 13 forks source link

UploadcareClient without privatekey #20

Closed ALIMAXIMUM closed 4 years ago

ALIMAXIMUM commented 5 years ago

hello How can I use UploadcareClient without privatekey? I just need to upload files not more. In most APIs UploadcareClient does not need privatekey. But in Android it is necessary and this is not safe. nobody (professional developer) store private key in client side. this is so important subject and I wondered when I understood it as CTO. anyway we can't accept its risks because we set private key inside of our app and it can recovery easily by a "app cracker".

https://github.com/uploadcare/uploadcare-java/blob/4ddc3927a886f192907eb9b7c0f51112320738f6/src/main/java/com/uploadcare/api/Client.java#L76

dmitry-mukhin commented 5 years ago

You're right, you shouldn't have to have private key to use Upload API. We have to fix that. BTW, how do you actually store secrets in Android app?

ALIMAXIMUM commented 5 years ago

I'm trying hard to prevent storing any secrets in app side. Except where I have to, like google api keys.

ALIMAXIMUM commented 5 years ago

What if I change the android Request header to be like iOS Request? I tried to remove privatekey from Authorization in Request header and it caused UploadcareAuthenticationException. How can I fix it?

dmitry-mukhin commented 5 years ago

There are two separate APIs: REST API and Upload API. You can't make requests to REST API without proper authentication. For Upload API, in most cases, only public key is required.

jlamson commented 4 years ago

@dmitry-mukhin could you provide any insight or documentation on how to make a request to the Upload API with a public key only? I'm happy to fork this and make the tweaks for my own purposes, but i've yet to figure out how to successfully remove the private key.

dmitry-mukhin commented 4 years ago

Here's the Upload API documentation

Also, you can look at how it's done in Python lib (reference implementation).

jlamson commented 4 years ago

I see where I was getting hung up. I'm trying to integrate this for Android. In that library, the upload() method does it's thing, but then makes a second API call to return more information about the file. That secondary call was the one failing.

Thanks for the quick follow-up!

dmitry-mukhin commented 4 years ago

we need to fix this, probably. Upload API has endpoint for getting file info!