Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: WebService Security

WebService Security 3 weeks 3 hours ago #3062

  • bibz87
  • bibz87's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
Is there a way to reinforce security around the WebService script?

I noticed it is possible for pretty much anyone with the proper URL to have complete control over localization spreadsheets: create, update, clear and anything else the plugin can do.

I'm not 100% familiar with Google Scripts, but would having two WebServices (one with read/write access for developers and one with read-only access for anyone else) fix the issue?

Thanks!
The administrator has disabled public write access.

WebService Security 2 weeks 6 days ago #3064

  • Frank
  • Frank's Avatar
  • Offline
  • Administrator
  • Posts: 1081
  • Thank you received: 231
  • Karma: 68
Hi,
I have been working in several features that require a new WebService (v6). One of the things it has its a password for any modification (Import, Create, etc). It only allows Export (which is read-only and only used in the clients) without password.
Given that the edit features are only used in the Editor, then the password is never saved into the build, that way, no one can use the WebService to modify the localization data. Just read it (which is what the game client does anyway).

This is working in v6 with a bunch of other things. But it will take a bit of time before I finish the rest of the futures needed for v6.
Said that, what I'm going to do, its port the password feature into v5 and release it in the next beta.

Hopefully, I will have that by tomorrow in v2.8.7b3.
Once you download that version from the beta folder, you will need to delete your current WebService and install it again, so that the plugin gets the updated v5 script.

Hope that helps,
Frank
Are you :-) Give I2L 5 stars!
Are you :-( Please lets us know how to improve it!
To get the betas as soon as they are ready, check this out
The administrator has disabled public write access.
The following user(s) said Thank You: bibz87

WebService Security 2 weeks 5 days ago #3065

  • bibz87
  • bibz87's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
Hi Frank,

Thanks for the quick answer!

Honestly, I didn't think there'd be a fix that early; I was just flagging a security issue. :)

From what I see a password-protected edit access seems to do the trick!

I'll check the beta folder for the new version and try it out as soon as it's available. I'll keep you posted if issues occur with the beta build.

Thanks!
The administrator has disabled public write access.

WebService Security 2 weeks 5 days ago #3066

  • Frank
  • Frank's Avatar
  • Offline
  • Administrator
  • Posts: 1081
  • Thank you received: 231
  • Karma: 68
2.8.7b3 is now in the beta folder.






Remember to delete the old WebService and install it again to access the code.
Hope that helps,
Frank
Are you :-) Give I2L 5 stars!
Are you :-( Please lets us know how to improve it!
To get the betas as soon as they are ready, check this out
The administrator has disabled public write access.

WebService Security 2 weeks 5 days ago #3067

  • bibz87
  • bibz87's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
Thanks, Frank!

I'll try it right away!
The administrator has disabled public write access.

WebService Security 2 weeks 5 days ago #3068

  • bibz87
  • bibz87's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
Noticed a bug with Language Source: if the "In Google Drive" droplist has already been populated (by calling the script before changing the password, for example) and the passwords gets changed, the droplist stays populated even if Refresh throws a "Wrong Password" error.

Steps to reproduce:
  1. Make sure you already have at least one localization Spreadsheet in your Google Drive
  2. Install WebService from 2.8.7b3 and leave default password ("change_this")
  3. Set WebService URL in Language Source
  4. Click Verify
  5. Click Refresh. Notice droplist gets populated, as expected
  6. Change password in WebService and publish as new version
  7. Update WebService URL in Language Source if necessary
  8. Click Refresh. Notice the "Wrong Password" error being displayed, but the droplist still has Spreadsheets from the previous refresh
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.680 seconds
Colors