0

I have a file hierarchy that gets files and folders from one of the users hub. All of these calls are on server side. Can these calls reside on the client side and still remain secure? None of these calls have my client secret from my Forge application. To clarify can you answer what calls can be client or server sided and still be 100% secure.

Get 3 legged auth(exposes client secret) - secure or not on client side

Get hubs - secure or not on client side

Get projects - secure or not on client side

Get files in folders - secure or not on client side

Get versions of files - secure or not on client side

Download files - secure or not on client side

Jakeb Barnett
  • 3
  • 2

2 Answers2

1

As you can read in this article: https://developer.autodesk.com/en/docs/oauth/v2/overview/scopes/ Autodesk says about the scopes that on client side only the scope viewables:read should be available.

"Because this means that the token is exposed on the client-side, it is important to make sure that the token is restricted for Viewer calls to the viewables:read scope, which limits access to the end user’s viewable output files (SVF, PNG, etc). This is particularly important in a two-legged context, where a malicious end user could use an unscoped token to take actions across the platform on the developer’s behalf and compromise the developer’s data."

I don't know what kind of application you are building but you have to ask yourself what your users are able to do with the scopes you give them.

Since you give scopes on your whole account and not on specific buckets you also have ask yourself if clients who have access to folder "a" also can see the content of folder "b".

Henk-Jan Leusink
  • 73
  • 5
  • I would recommend not even exposing a viewables:read token to your client, instead prefer to use a secure proxy approach: https://forge.autodesk.com/blog/securing-your-forge-viewer-token-behind-proxy – Felipe Mar 20 '18 at 08:22
  • I'll stick with server side requests. Just to be safe. – Jakeb Barnett Mar 20 '18 at 12:45
1

None of the calls can be secure on the client as you need to expose a token with a specific scope (data:read, data:write or both ...). The way to secure your app is to performs all calls to Forge from your server only, then expose the features you need on the client through controlled endpoints, either REST or GraphQL like in my latest article.

This way you expose only the data you want/you and can have a better control over what use is done of it, for example you can limit the rate of use of your endpoints so you avoid DDOS attack using your keys. If you use node.js it is easy: express-rate-limit.

Securing a web application is a very broad topic, there are many areas you may want to explore, but keep in mind that everything that is exposed to a client is considered not secured.

Hope that helps

Felipe
  • 4,325
  • 1
  • 14
  • 19