WebService Security

More
5 years 9 months ago #3062 by bibz87
WebService Security was created by bibz87
Is there a way to reinforce security around the WebService script?

I noticed it is possible for pretty much anyone with the proper URL to have complete control over localization spreadsheets: create, update, clear and anything else the plugin can do.

I'm not 100% familiar with Google Scripts, but would having two WebServices (one with read/write access for developers and one with read-only access for anyone else) fix the issue?

Thanks!

Please Log in or Create an account to join the conversation.

More
5 years 9 months ago #3064 by Frank
Replied by Frank on topic WebService Security
Hi,
I have been working in several features that require a new WebService (v6). One of the things it has its a password for any modification (Import, Create, etc). It only allows Export (which is read-only and only used in the clients) without password.
Given that the edit features are only used in the Editor, then the password is never saved into the build, that way, no one can use the WebService to modify the localization data. Just read it (which is what the game client does anyway).

This is working in v6 with a bunch of other things. But it will take a bit of time before I finish the rest of the futures needed for v6.
Said that, what I'm going to do, its port the password feature into v5 and release it in the next beta.

Hopefully, I will have that by tomorrow in v2.8.7b3.
Once you download that version from the beta folder, you will need to delete your current WebService and install it again, so that the plugin gets the updated v5 script.

Hope that helps,
Frank

Are you :-) Give I2L 5 stars!
Are you :-( Please lets us know how to improve it!
To get the betas as soon as they are ready, check this out
The following user(s) said Thank You: bibz87

Please Log in or Create an account to join the conversation.

More
5 years 9 months ago #3065 by bibz87
Replied by bibz87 on topic WebService Security
Hi Frank,

Thanks for the quick answer!

Honestly, I didn't think there'd be a fix that early; I was just flagging a security issue. :)

From what I see a password-protected edit access seems to do the trick!

I'll check the beta folder for the new version and try it out as soon as it's available. I'll keep you posted if issues occur with the beta build.

Thanks!

Please Log in or Create an account to join the conversation.

More
5 years 9 months ago #3066 by Frank
Replied by Frank on topic WebService Security
2.8.7b3 is now in the beta folder.






Remember to delete the old WebService and install it again to access the code.
Hope that helps,
Frank

Are you :-) Give I2L 5 stars!
Are you :-( Please lets us know how to improve it!
To get the betas as soon as they are ready, check this out
Attachments:

Please Log in or Create an account to join the conversation.

More
5 years 9 months ago #3067 by bibz87
Replied by bibz87 on topic WebService Security
Thanks, Frank!

I'll try it right away!

Please Log in or Create an account to join the conversation.

More
5 years 9 months ago #3068 by bibz87
Replied by bibz87 on topic WebService Security
Noticed a bug with Language Source: if the "In Google Drive" droplist has already been populated (by calling the script before changing the password, for example) and the passwords gets changed, the droplist stays populated even if Refresh throws a "Wrong Password" error.

Steps to reproduce:
  1. Make sure you already have at least one localization Spreadsheet in your Google Drive
  2. Install WebService from 2.8.7b3 and leave default password ("change_this")
  3. Set WebService URL in Language Source
  4. Click Verify
  5. Click Refresh. Notice droplist gets populated, as expected
  6. Change password in WebService and publish as new version
  7. Update WebService URL in Language Source if necessary
  8. Click Refresh. Notice the "Wrong Password" error being displayed, but the droplist still has Spreadsheets from the previous refresh

Please Log in or Create an account to join the conversation.

Time to create page: 0.407 seconds
Template by JoomlaShine