Podio JS: Can I trust that the access/refresh token can only be used from a specific IP address?

Question

I am developing my own app for customizing the behaviour of PODIO. I care very much about the security of my and my customers data. I therefore wrote the following test code:

var api_key = {
    authType: 'password',
    clientId: 'foo',
    clientSecret: 'foo'
};

var podio_api = require('../node_modules/podio-js/lib/podio-js');
var podio = new podio_api (api_key);

var username = 'foo';
var password ='foo';

var callback = function (err, responsedata) {

    if (err) throw (err);
    console.log (responsedata);
};

podio.authenticateWithCredentials (username, password, callback);

It logs the following to the console:

{ access_token: 'foo',
  expires_in: 28800,
  token_type: 'bearer',
  scope: 'global:all',
  ref: { type: 'user', id: 999999 },
  refresh_token: 'foo' }

So in other words it work perfectly (thank you!). But what about security. The following is stated on Podio´s homepage about API conventions and structure:

The API is available at https://api.podio.com. It is RESTful and uses json as the exchange format. SSL is mandatory and used for all communication. OAuth2 is used for authorization and authentication.

But as you can see from the code I did not provide it with any certificate from a certificate signing authority and the program is not running on the domain I have specified as the one for return URL´s under my Podio account settings. So it appears that anyone obtaining a copy of the access / refresh token could access all the data stored in my Podio account.

--> Does the Podio API grant any server in possession of a token access to a given Podio user account?

--> Is the transmission of the access / refresh token encrypted when using Podio JS?

Thank you in advance.

Answer 1

I am definitely no expert, but since no one answered this question here is the answer I have come up with by myself.

---

Question 1: Is the transmission of the token encrypted?

The first thing to be clear about is how use of HTTPS actually works. It consists of communication between a server and a client. The server in this case is https://api.podio.com and the client is a third party application. I have found out that in this relationship only the server needs a certificate signed by a Certificate Authority to establish encrypted HTTPS communication.

For more detailed information see: How does SSL/TLS work? and How HTTPS secures connections.

So I definitely assume that the answer to question 1 is: YES.

Question 2: Does the PODIO server grant access to anyone with a token?

The first thing to be clear about in relation to this questions is how the process of granting acces works. It follows from the PODIO website that is uses OAuth2 to grant a third party application access to the data stored in relation to a given PODIO user account. The process can be visualised this way:

where the User is the relevant PODIO user account, the application is the third party application and the authorisation and resource server is the PODIO server.

It is important in this context to be aware that the third party application can continue to use the access token AFTER the owner of the PODIO user account has logged off and once a token expires, the third party application can receive a new access token using the refresh token received together with the original access token. That is: once the owner of the user account has authorised the issuance of the first access token the third party application has access to the PODIO account 24/7 365 without further involvement of the owner of the user account (of course the owner can choose to revoke the access).

It is also important to be aware that the PODIO API grants access to (almost) ALL data in the user account (contacts, files, comments, items ...).

In this light I regret to have come to the conclusion that the answer to question 2 is also: YES.

---

A finishing remark: The token is encrypted when transmitted and this of course protects against abuse of it. However the communication between the server and client allows for the use of client side certificates.

For more detailed information about these see: What is a client side certificate?

For more information on why they are rarely used see: Why is nobody using SSL client certificates?

The use of client side certificate would allow the server to authenticate the third party client application each time it asked for access to data related to a given user account. This would add and extra layer of security in cases where a token ended up in the wrong hands. I am somewhat disappointed that PODIO currently does not seem to offer this layer of security.

Please help edit this answer if it is insufficient or incorrect. TIA.