0

in order to access my kinvey account from web, I put in config.js file like below:

var config = {

kinvey : {

    app : {

        key : 'kid_123123123',

        secret : '66a1111f62233445502833'

    }

}
};

and init it in every js file like below:

var promise = Kinvey.init({
    appKey    : config.kinvey.app.key,
    appSecret : config.kinvey.app.secret
});

if a person get my key and secret then he will be able to do CRUD from my kinvey database. any solution to this?

Cheers, Mark Thien

chiwangc
  • 3,566
  • 16
  • 26
  • 32
Mark Thien
  • 1,108
  • 2
  • 22
  • 35
  • 1
    Seriously? Keep your secret *secret*. It's called that for a reason. – Blorgbeard Nov 05 '14 at 02:54
  • @Mark Thien Did you get the answer? Would you mind sharing that? – Yogesh Nov 17 '14 at 05:19
  • @Blorgbeard - Not true at all. A *shared* secret is exactly that. A master secret should never be revealed. Many APIs use shared secrets just like this. It's futile to take the words used in programming to their literal definition. – OhmzTech Nov 20 '14 at 06:58

1 Answers1

0

This is perfectly fine, that's how Kinvey and many other services/libraries operate. You can (and must) put your appKey and secret into your initialization, however what you don't and shouldn't ever put into your client side code is your master secret. This is what allows anyone to perform any transaction on the database.

You don't need to be concerned about security as long as your set your permissions correctly, which is why they exist. A user could create their own account and perform transactions against the database, but only to the permissions you specify. This is why you almost never want to set collection permissions to wide open. By default collection permissions as set to "shared" - which means users can write against their own records, and only read against other user records.

OhmzTech
  • 897
  • 1
  • 5
  • 7