Update authmedia link to use one-time token for private assets #1535
Comments
|
➤ James Chien commented: API for creating temp token: https://api.numbersprotocol.io/api/v3/redoc/#operation/assets_private_share ( https://api.numbersprotocol.io/api/v3/redoc/#operation/assets_private_share ) I think we also need to update Authmedia to read the tmp_token parameter and pass it to backend |
|
➤ Bofu Chen commented: When sharing a private Asset, you will get an URL for sharing, and there is an access token in the URL currently. This is a security issue because who gets the access token can access your Capture account. One of the solutions is to replace the access token by a temporary token which is available from the API in the prior comment. |
|
➤ Tammy Yang commented: Thank you for the reminder. Sam whenever you are going to dev authmedia, let me know, I will provide you the permission. Before start developing it, I suggest you take a look of basic Bubble dev https://bubble.io/home ( https://bubble.io/home ) (should be very straightforward) |
|
➤ Sam commented: James Chien as far as I understood when we create a capture from the capture app it's private by default. Then when the user clicks the share button from DetailsPage we make that capture public by setting public_access to true. |
|
➤ Sam commented: Tammy Yang, I'm about to do this task. What permissions do I need in the bubble? Also have no idea what is authmedia yet. |
|
➤ Sam commented: When I click share capture it generated this link https://authmedia.net/asset-profile?cid=bafkreieg6nwlfgq46xygozetpif7wnltsdbsftnkrz5uyzrahtx34ouvri ( https://authmedia.net/asset-profile?cid=bafkreieg6nwlfgq46xygozetpif7wnltsdbsftnkrz5uyzrahtx34ouvri ) but when I open it it show me (screenshot attached) do we have a develop environment for authmedia.net ( https://authmedia.net ) (like dia-backend-dev.numbersprotocol.io)? |
|
➤ Tammy Yang commented: Sam yes, this reminds me we also need to modify Authmedia. I believe that we need to postpone the task to next sprint because we need Ethan Wu 's help fix that first. |
|
➤ Tammy Yang commented: Update Authmedia to accept one-time token ( https://app.asana.com/0/0/1200944943061163/f/ ) |
|
➤ James Chien commented: Sam We don't have dev Authmedia site which links to dia-backend-dev site, but you can upload the same image to dev and production site backend to simulate what you will see on Authmedia production site. (Same image means same cid/mid) |
|
➤ James Chien commented:
Yes, I think that's the current behavior for sharing, but it might be irrelevant to the current issue. User can click the CID and navigate to Authmedia without choosing to share, see function openCertificate() and getAssetProfileUrl() . What we will need to do here is add an API call to the endpoint I mentioned in the first comment to generate a temporary token, and add the temporary token in the URL instead of including the diaBackendAuthService.token$ in url |
|
➤ Ethan Wu commented: I have completed this. need to pass qa and deploy. |
|
➤ Kenny Hung commented: SamEthan Wu authmedia one-time token is qa passed and deployed. |
|
➤ Kenny Hung commented: because Sam have started going this task, move to 0526 sprint. |
|
➤ Sam commented: James Chien here is the pull ( #1653 ) request |
|
➤ Tammy Yang commented: Bofu Chen ^ |
|
➤ Tammy Yang commented: Sam has this been done? |
|
➤ Sam commented: Tammy Yang yes. It's in 0.58.2 that I just submitted for Q&A |
┆Issue is synchronized with this Asana task by Unito
┆Created By: Tammy Yang
The text was updated successfully, but these errors were encountered: