0

I am building a prototype to have a single Application providing models for forge viewer. Each user should have its model and not be able to see models of others.

For this I would consider "separation in application architecture” like described here: https://forge.autodesk.com/blog/accounts-apps-keys-and-ids (manual app creation per client is not an option). If bucket are generated in a way that cannot be guessed, we could consider separation per bucket enough (even if not fully secure on “lucky” hit)

I tried to use scope viewables:read, which from documentation, is "only be able to read the end user’s viewable data”. I cannot list buckets (GET buckets), as expected, but I can access bucket by name (GET buckets/:bucketKey/details).

Is viewables:read safe enough for what I described, or can I expect some other points to be readable, but not expected like this one?

Is viewables:read the option discussed in this article https://forge.autodesk.com/blog/securing-your-forge-viewer-token-behind-proxy ? Or is forge roadmap expecting some finer grain access control?

Thank you,

Fabien
  • 41
  • 7
  • How are you handling the multiple users that will be able to upload models to the buckets? Are you storing them with some sort of ID in an external DB? If so, I will say use only the vieweables:read and make individual buckets to your users using an assigned id to each of them, something unique. So when they are in your system and they want to see their models, only their models will be display. – Jaime Rosales Apr 29 '18 at 21:52
  • Yes multiple users will be able to upload to “private" bucket. Yes I have an external DB-ID I can use. Only security limitation is that DB-ID should not be known to someone else, otherwise, with some hack, content can be accessed if you are not the DB-ID user. I consider using DB_ID + uuid to limit this. Thanks. – Fabien Apr 30 '18 at 07:30
  • using the DB-Id + uuid will do the trick, Bucket names are limited to 128 all lowercase characters, so I think you should be ok to do what you are thinking of. – Jaime Rosales May 01 '18 at 13:11

0 Answers0