security of sending links for email verification

Question

This is a follow up question to

http://forum.shephertz.com/?qa=6983/how-to-do-email-verification

 with regard to security. Lets say I send the user a link for verification, which according to the answer given in the above post would be something like this:

String url = "http://cdn.shephertz.com/...../email.html"+ "?name=" +"Armin" +"&"  + "email=" +"armin@example.com" +"&";

all good, now I also generate a new apikey from dashboard , which only gives access to the method "updateDocument". since I only want the user to be able to change a variable in database, i.e. :

 {"email":"armin@example.com","activated":false}

Now here comes the the awkward part, I have to set the permissions for the mentioned JSON object as PUBLIC/READ and PUBLIC/WRITE . This biscally means that someone can take the verification link and substitute the email part easily with some invalid email adress and they still manage to verify their email like this: ( since as I said earlier these records are Public read/write)

String url = "http://cdn.shephertz.com/...../email.html"+ "?name=" +"SomeUnverifiedUser" +"&"  + "email=" +"SomeInvalidAdress@example.com" +"&";

 or worse somebody can copy my javascript code and mess up with my databse records and next thing you know people cannot login. Is there anyway to put some restriction on the generated verification link so that it could only be used once and expire afterwards? Or maybe somehow only restricted to be used from the email-adress it was sent to? 

cheers,

Armin

 

Comments

Furthermore a clarification on the following issues would also be really helpful, I couldn't find anything in the docs:

How can I get the url of a file that I uploaded using AppHq, by having only its "name" from client side?

Is it possible to add a message to a custom template email that I have made from AppHq? It seems like if I use the custom template the parameters "sendSubject" and "sendMsg" are ignored.

Answer 1

Hello Armin,

You can easily resolve this by defining the permission of document at the time of creation in ACL app. To do this, please have a look at the below code snippet:

HashSet<ACL> aclSet = new HashSet<ACL>();

 

aclSet.Add(new ACL("<User_Name>", Permission.READ));

 

aclSet.Add(new ACL("<User_Name>", Permission.WRITE));

storageService.SetAclList(aclSet); 

Once you set this acl permission, that user have access to write on the document based on his sessionId. So what you need to do is, append the session id of user in the above URL and get that session id in JS Code to set in storage service instance while updating user document. It will resolve your both queries because no body will know the session id of user. 

In order to get the file URL using file name, please have a look at this code snippet of file upload service. 

To answer your last query, as of now there is no such way to add/update emailSubject & message in your custom email template using code. I would like to suggest create run time templare in your custom code, if you need to update these fileds. 

Let me know if you required any help while integrating it. 

P.S Please have  a look at this link to understand the concept of securing App using ACL feature. 

Thanks,

Himanshu Sharma 

Comments

Thanks for the answer, that cleared things up a little bit. However right now I am getting "unauthorised access" upon calling getfilebyname, I have made a custom key and already granted access to getfilebyname function for this key.

and interestingly if I use the function uploadService.GetAllFilesCount, it always succeeds in retrieving the count, even if is not added to the custom key which was used to initialise the app42 instance. Edit: On second check this is working sometimes and sometimes spews Unauthorised access.

Edit: It seems like granting access to a custom key does not do anything at all, furthermore the name of the API methods does not reflect the names I see from the actual API.

Edit: I am getting unauthorised access even if I use the original Apikey which was generated when I created the app.

---

Could you please share internal logs of this method when you have this exception? To print the method logs, put the below line of code before making a request of leaderboard call:

App42Log.SetDebug(true);

Regards,
Himanshu Sharma

---

Hello Armin,

Thanks for sharing your logs with us.  As we able to see that you are getting "Client is not authorized for this operation" exception at the time of calling Upload and "Client is not authorized" while calling Session API. Please make sure you have give the access of that method to custom code. Also if you have created a global instance of App42 service, then we would suggest you to create new instance in case of setting custom key.

To address your second query of getting session id of user using Session service, you need to set the admin key in service instance. So please first set the admin key in Session Service instance and let me know if it helps.

Regards,
Himanshu Sharma
App42 Team

---

As I mentioned before, I already added these methods to my custom key, and again as I mentioned, even using the general apiKey or adminKey does not work and I get the following in both cases.

Exception : com.shephertz.app42.paas.sdk.csharp.App42SecurityException: {"httpErrorCode":"401", "appErrorCode":"1401", "message":"UnAuthorized Access", "details":"Client is not authorized"}


Furthermore, I think using the adminKey in my client-side application is really a bad choice, since someone can reassemble my code and use my adminKey to access all apis.

---

Hello Armin,

Yes, you are right putting admin on the client side is a bad choice. But we have written on the error which you are getting while calling session API. Is it possible that you can share your sample source code with us, it will help us to provide better support to you.

Regards,
Himanshu Sharma

---

Unfortunately I cannot share the code, because its part of a larger project, and Im not allowed to share it, let me see if I can reproduce it on a simple Unity3d project.