![]() When I inserted it into the rClone code, I got an error about it not bein a valid base64 code, or something - it wasn't hard to figure it out namely find: I took the SE commentors advice, and setup my own app & key. Incidentally, I don't think binaries or 'Encrypted' secret ids are that great. Which seems to be the case, and also, something in a flaw for use cases involving oath and client-side code :-/ There would be no token granted without a new user access approval (that right?), and afaik if the token was already obtained somehow, it can be used without the sk (is that right?).įurthermore, the client secret leak breaks a layer of protection designed to ensure the legitimacy of the communicating server. But any app could just as well pretend to be rclone, with their own appid and secret anyway. Hmm, sounds like a common problem think you might be right about the answer being wrong.Īs I understand it, the role the sk plays that an app con pretend to be rClone, and get a token using the google auth UI. You can already provide your client details in the setup process.ĭoing so doesn't change the security of anything though. I'd suggest to offer during the setup to either use the default key (with an notice it may reduce security), or let users provide their own (with a link to Google Developer Console to help set one up). ![]() I should probably rename the constant to rcloneEncryptedClientSecret or something like that which will give people who are viewing the source code a bit more confidence. Again not really making it a lot harder to derive it. ![]() Note that the secret is obfuscated so you can't get it from looking at the source without a bit of work. ![]() The only thing you can do with the rclone client secret is pretend to be the rclone app which doesn't gain you anything really.Įven having it into a public binary is just making it a bit harder but that's not changing really the security. Does it mean that someone else using rclone on another machine has access? Supposing a user allowed (on his machine) rclone to access its Google Drive. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |