Filepicker API key

Question

I like to ask a newbie question. By setting API key in JavaScript, wouldn't anyone can read the source and use the key freely?

Edited >>

Extracted the jsFiddle codes,

filepicker.setKey('8PbzrhP9Tr2r6wPlSqzS');

/* Unsecured */


/*
filepicker.pick(function(fpfile){
   console.log(fpfile);
});

filepicker.read(fpfile, function(contents){
    console.log(contents);  
})
*/


var fpfile = {'url': 'https://www.filepicker.io/api/file/KW9EJhYtS6y48Whm2S6D'};
var policy = 'eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=';
var signature = '4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18';


filepicker.read(fpfile, {policy: policy, signature:signature}, function(contents){
    console.log(contents);  
})

filepicker.pick({policy: policy, signature:signature}, function(fpfile){
   console.log(fpfile);
});

How does it prevents anyone from using the key ONLY, to upload or read/download files from my account?

score 3 · Answer 1 · answered Apr 01 '13 at 18:15

3

Because browser-side javascript is always publically readable, your API key will be visible to others. To increase the protection of your API key beyond simple url/hostname checking, you can use the rich policy-based security API we provide: https://developers.filepicker.io/docs/security/

answered Apr 01 '13 at 18:15

brettcvz

2,371
1
13
14

Let's say I generated a policy for uploading. Wouldn't the whole url still be used maliciously? Unless the policy restrict to time based, but that will mean generating same policy (with different timing) often? And a time based policy for reading? Is it feasible? – twb Apr 02 '13 at 05:19
Yes, the policy is time based, and you can use time based policies for reading as well – brettcvz Apr 03 '13 at 01:49
What about the other issues? Is Filepicker server side handling any misuse of whole policy url or just the api key is enough? – twb Apr 03 '13 at 02:27
I'm not sure what this is asking - yes, we have code that enforces the parameters set in the policy are respected (correct handle, path, etc.) – brettcvz Apr 03 '13 at 16:28
I mean a url with policy to write to s3. Is there anything to prevent other people from using the whole policy url to upload to my s3? On the other hand, from Filepicker.io jsFiddle codes, [ filepicker.setKey('8PbzrhP9Tr2r6wPlSqzS'); filepicker.pick({policy: policy, signature:signature}, function(fpfile){ ] what is stopping other people from using the api key directly? – twb Apr 03 '13 at 17:05
The expiry of the policy allows yo to control the duration for which the policy is viable, so you can set it to be very short to prevent misuse if you are concerned about it. – brettcvz Apr 17 '13 at 03:04

score 0 · Answer 2 · answered Mar 31 '13 at 17:49

0

Java bytecode is easily reversable with trivial amount of work. If you need to have it, pull it from a website using TLS and store it in RAM or at the very least, xor it with a password

answered Mar 31 '13 at 17:49

Srdjan Grubor

2,605
15
17

Filepicker API key

2 Answers2