真正发布应用程序秘密有多糟糕? [英] How bad is publishing the app secret really?
问题描述
经过大量的伏都教之后,我终于使成绩API起作用了.原来,您必须将Enhanced Auth Dialog设置为disabled,否则Facebook将忽略您的publish_actions权限.万一其他人都在挣扎,请多多注意.
After significant voodoo, I have finally got the scores API working. Turns out you have to set Enhanced Auth Dialog to disabled or Facebook ignores your publish_actions permission. Just a heads up in case anyone else is struggling.
但是,我完全在Javascript API中工作.没有服务器端脚本.
However, I'm working entirely in the Javascript API. No server-side scripting is available.
发布分数的唯一方法是使用应用访问令牌.获得其中之一的唯一方法是使用应用程序密码,而这必须在javascript代码中才能看到.那到底有多糟?
The only way to publish a score is with an app access token. The only way to get one of them is to use the app secret, and that would have to be in the javascript code for the world to see. How bad is that exactly?
TBH我不在乎有人在我的小乒乓球式游戏中欺骗得分.对他们有好处,只有他们和他们的朋友才能看到.只是很有趣.但是,如果发布了我的应用程序机密,究竟会出错吗?有人可以劫持整个应用程序吗?还是只是不好的做法,而一个小型迷你游戏没什么大不了的?
TBH I don't care if someone spoofs the scores to my little pong-style games. Good for them, only them and their friends can see it. It's just a bit of fun. But what exactly can go wrong if my app secret is published? Can someone hijack the entire application? Or is it just bad practice and nothing much can go wrong with a little mini game?
这全是纯JavaScript SDK,因此它似乎只能由用户访问令牌使用,因此我的第一个直觉是可以.但我想我会问....!
It's all purely javascript SDK so it seems to work only by user access tokens, so my first instinct is it's OK. But I thought I'd ask....!
推荐答案
您还使用什么其他权限?如果您使用的是"publish_stream",我相信您可以想象会发生的恶作剧!更糟糕的是,如果用户同时拥有您的公钥和私钥,他们可能会创建一个完整的欺骗应用程序,将自己标识为您!
What other permissions are you using? If you're using "publish_stream" I'm sure you could imagine the shenanigans that could ensue! Even worse, if the user has both your public and private key (which they will) they could create an entire spoof application that identifies itself as you!
facebook中的域"选项应该可以防止这种情况,但是如果攻击者有可能进行 XSS攻击,他们可能会编写伪装成您的游戏的恶意应用.
The "domain" options in facebook should prevent this, but if there's any chance an attacker could do an XSS attack they could potentially write malicious apps that masquerade as your game.
您是否考虑过使用 google app引擎为处理应用程序身份验证令牌的唯一目的是什么?
Have you considered writing something very simple with google app engine for the sole purpose of dealing with the app authentication token?
这篇关于真正发布应用程序秘密有多糟糕?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
