Storing OAuth secret in the open-source project - c++

I'm using Dropbox OAuth in my desktop application for uploading files. However, my app is open-source, so I have no idea how to store the app secret. If I don't hide it, any other program will be able to use my app identity.
I could include the separate header file (C++) with secret keys and don't distribute this header in my sources, but, in my opinion, such repository will look a bit inadequate (correct me if I'm wrong).
Any suggestions?

I think the typical thing to do here is to omit the app key and secret from your source and give people instructions for how to create their own app key and secret via the Dropbox website.

I think you hit the nail on the head - the nature of sharing your software as FOSS means that anybody can duplicate any portion of your program's functionality; this also implies that anyone can design software to impersonate any aspect of your program. This is by no means a bad thing; it's just the nature of open source.
If you selectively hide your app secret, all you're doing is preventing others from building your source and getting the same result as you get when you build it. That's pretty much contrary to open source principles IMO.
If the problem is the risk of app deletion on some marketplace due to secret getting compromised, then one solution is to generate a new app secret at build time, for each individual build - although this is far from ideal.

Related

How to search for Shiny Apps - Rstudio

I'm entering the world of Shiny Rstudio now. So this is a beginner question
One question I came up with is: how do I search for the Shiny Apps available/created? Are all created Apps available? Is there any way that, once I create my app, I prevent it from being viewed? Or during the creation I "block it"?
From so much searching I found this link via Rstudio's website: http://www.showmeshiny.com/
Would this be the search platform for all apps made?
But in the case of http://www.showmeshiny.com/ it seems that it is necessary to send it via "Submit App".
I am not sure if I understand your questions correctly but I might be able to give you some insights.
Are all created Apps available?
No, some shiny Apps are hosted on private servers or/and are embedded in password-protected websites or Wordpress-pages for example. If you dont have those access rights, then you cannot see those Apps.
How do I search for the Shiny Apps available/created?
There is no way of doing that, except on pages like Showmeshiny, the RStudio Shiny Gallery, this gallery of recent Shiny-Apps or pther similar pages. Those Apps are publicly available and you can submit your own App if you like sharing it. Shinyapps.io is a nice and easy way of deploying your App on a server with a few clicks. But you need at least the standard license to include authentication, otherwise they would be free and open for everyone.
Is there any way that, once I create my app, I prevent it from being
viewed?
I am not quite sure, what you mean. If it should be blocked from being viewed at all, I dont see the reason of building a ShinyApp. If you just want to access it yourself, then there are ways of doing so. Either password-protect it where only you know the password or host it on a local server that only you can access.
Or during the creation I "block it"?
If you create it on your computer and run it, it will run on your computer and only be accessible to yourself, except you explicitly configure it otherwise. So there is no need of "blocking it".

How to hide API key in public open source project?

I have the problem that I want to program a program that will have to interact with some 3rd party web service. This service requires for specific actions that the client (my program) authorizes itself by both a username/password combination as well as a token. The username/password is specific to the user of my program and no of a problem here. The token (API key) is a problem.
Suppose I want to make my program open source and put its sources on some public server. Of course I cannot hardcode (or include) the API key. Otherwise I would not only break the contract not to publish it but also any (non-authorized) usage will fall back onto me and my program.
According to my research (e.g. Open source a project but keep API keys confidential or How to hide the API key in my Electron application?) I could put a proxy server (closed source) between the 3rd party API and my program. Now I see two big open doors for bad-minded people to attack this scenario:
As the source code of the main program is open source, any interaction with the proxy can be literally read from source code. An attacker could fork my main program and use exactly the same calls on the proxy but with compromised data. Same result as with openly available keys: My program will get into trouble for other people's bad actions/programming skills.
I could add a username/password to authenticate the program against my proxy. I then offer (free-to-use) registration to the proxy in order to allow my program to be used productively. This adds an additional layer of authentication and complexity but is doable. Anyone really wanting to do bad things will nevertheless be able to obtain a password and use his own fork to access the proxy. I cannot put my own keys/encryption/.... anywhere as the necessary routine to decrypt/imitate these will be publicly visible in the open sourced project.
So now I have simply shifted the problem to detect if the running software is an original one, from the 3rd party to my proxy server. I only have the benefit that I could maybe know which user was the bad guy and ban him but this is all I can do while my token might get revoked by this issue.
I am sorry but I did not find a usable solution in the web to this specific problem. How can I attack this problem (on an abstract level)?

Difference between a Desktop application and a Web application

What is difference between a Desktop application and a Web development application? What is Testing Strategy for a web site/web application?
I will briefly share some of my experiences, as they may help establish a foundation for you.
The main differences that I have encountered are obviously the usage of markup languages (HTML/HTML5/XML, etc), AJAX, jQuery, and javascript (well, scripting in general). Tools like .NET framework amongst others also exist. You can look those up to get a full definition of what they are and how they work together, but they introduce a new way of problem solving in terms of building small bridges to reach the end result.
As in any application, keep in mind the user-end side of the application. Millions of people will have access to it at exactly the same time. Security is paramount with web apps. Ensure you have strong security measures tied into your page.
Aesthetics will take more precedence than with desk applications (depending on what they are). Web applications are a visual experience. You want to make sure that when you design it, fields are easily identifiable, the app is easy navigable, and easy to read.
For testing, simply save your code with the right extension and run it from wherever you saved it. Most current Op Systems know what kind of web code the file is written in and will open it in a browser. Say if you wrote "myPage.html" and saved it to your desktop, you will see an HTML icon that says "myPage". If you need to make changes, edit your code, re-save it, then simply refresh your web browser.
I know this is a very very general answer but I'm attempting to brush upon everything that I've experienced over the summer. Hopefully this is helpful, or atleast brings some considerations to mind when designing your web app. Good luck!

Multiple deployment environments (production/staging/etc) and Facebook Apps

I'm looking for a "best practice" kind of answer with regard to Facebook Apps and staging/production environment. Instinctively, I've provided each environment with its own Facebook App, complete with its own ID and secret. It appears (here, here and through extensive Googling) that it's simply not possible to share OG configuration across apps, so I've been copying application settings across environments (icon, requested permissions and texts, etc). It's been a pain and ugly, but I've lived with it.
Alas, with the introduction of opengraph actions, this isn't funny anymore - much more to copy and everything has to go through the approval process. Is there no better way to do this? A coworker suggested we simply share the same app across all environments, but I'm apprehensive about that - it means we'll have to share production secrets with the staging environment (I'm not even talking about localhost development environments), and that we'll need to route Facebook traffic to the correct environment somehow (because one Facebook app means one Page Tab URL).
There has to be a better way... no?
I see there's a feature called "Test Apps" now that seems to fit the bill:
https://developers.facebook.com/docs/apps/test-apps/
Test Apps are like regular apps in that they have their own App ID and independent settings, but they offer a number of advantages for use during pre-production:
...
When creating test apps - the settings are copied from your production app so its simple to spinup new apps which mirror your production app's settings
It's working for me so far.
I asked practically the same question at a breakout session at F8 last year. Creating multiple apps is the best practice. They are aware that it is an inconvenience, especially with the open graph objects and actions. They did however mention the possibility of setting up apps in the future via the API, but I am still waiting for this. Until then, it's a manual process.

Single sign on with confluence wiki

I would like to use our current intranet as the main application to authenticate users. Confluence should be able to ready the cookie I created from the intranet to authenticate the user automatically without prompting them for a username/password. I read a bit about seraph here: http://docs.atlassian.com/atlassian-seraph/latest/sso.html, however I am not really sure how to get started. I downloaded the zip and created the config files. However once I have created the classes in which folder do I place them and how do I actually compile them? I am new to Java.
I would prefer not use Crowd, since its very expensive and if we can build the SSO on our own, then we can save a lot of money.
Any help is appreciated.
I am using 3.1.1 on Windows.
The simplest way to integrate is to copy + modify the CAS client, linked from the page above. If you're completely new to Java, there's a bit of a learning curve - you need to create a JAR file which you copy into the $CONF_HOME/confluence/WEB-INF/lib directory, along with modifying your seraph-config.xml.
I'm not sure I can give you a complete tutorial on how to build a JAR file here, but the CAS client uses Ant, so if that's what you're modifying, install Java and Ant and run "ant build.xml" in the directory.
Hope that makes some sort of sense :-)