starred/SMSSync
1
0
Fork 0
mirror of https://github.com/ushahidi/SMSSync.git synced 2026-04-25 15:55:57 +03:00
Code Issues 98 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #30] No authentication in task checking #25

New issue
Closed
opened 2026-02-28 01:22:49 +03:00 by kerem · 4 comments
kerem commented 2026-02-28 01:22:49 +03:00
Owner
Copy link

Originally created by @ghost on GitHub (Aug 22, 2012).
Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/30

I know sending a plaintext password in a POST is bad, but it is an incredible improvement over no authentication at all. Until a more secure authentication mechanism is available, task checking should at least have an option to use POST instead of GET, and include both the secret and the device ID in it.

Originally created by @ghost on GitHub (Aug 22, 2012). Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/30 I know sending a plaintext password in a POST is bad, but it is an incredible improvement over no authentication at all. Until a more secure authentication mechanism is available, task checking should at least have an option to use POST instead of GET, and include both the secret and the device ID in it.
kerem closed this issue 2026-02-28 01:22:49 +03:00
kerem commented 2026-02-28 01:22:50 +03:00
Author
Owner
Copy link

@olliebennett commented on GitHub (Dec 23, 2012):

I agree that this would be an improvement.

In order to maintain backwards compatibility with the current process (i.e. server configurations which currently check for the GET parameter ?task=send) how about sending both POST and GET together? That is, send a POST request to your_callback_url?task=send.

As a sidenote, I'm actually satisfied by the level of security offered by the combination of HTTPS POST and the secret/device ID, which sacrifices neither clarity of code nor ease of server development. What would your suggestion be for the "more secure authentication mechanism"?

<!-- gh-comment-id:11649108 --> @olliebennett commented on GitHub (Dec 23, 2012): I agree that this would be an improvement. In order to maintain backwards compatibility with the current process (i.e. server configurations which currently check for the GET parameter `?task=send`) how about sending both POST and GET together? That is, send a **POST** request to `your_callback_url?task=send`. As a sidenote, I'm actually satisfied by the level of security offered by the combination of **HTTPS** POST and the secret/device ID, which sacrifices neither clarity of code nor ease of server development. What would your suggestion be for the "more secure authentication mechanism"?
kerem commented 2026-02-28 01:22:50 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 28, 2013):

Combining GET and POST like that is kind of ugly, but so is breaking API. There's probably some combination of server and language that breaks even with that, but probably rather rare.

I would propose that since there's already a user defined secret key(i.e. a password) per sync target, all requests to that target(sending, task checking, potential callbacks) would include in POST these items:

  1. Device ID
  2. A hash of the secret, concatenated with the device id
    Hash function should be something widely available, like sha512.
<!-- gh-comment-id:14235561 --> @ghost commented on GitHub (Feb 28, 2013): Combining GET and POST like that is kind of ugly, but so is breaking API. There's probably some combination of server and language that breaks even with that, but probably rather rare. I would propose that since there's already a user defined secret key(i.e. a password) per sync target, all requests to that target(sending, task checking, potential callbacks) would include in POST these items: 1. Device ID 2. A hash of the secret, concatenated with the device id Hash function should be something widely available, like sha512.
kerem commented 2026-02-28 01:22:50 +03:00
Author
Owner
Copy link

@mandric commented on GitHub (Mar 4, 2013):

I vote for separate settings option to include username/password for HTTP basic auth, that is just used on any request when activated. Basic Auth over https is not so horrible.

<!-- gh-comment-id:14391935 --> @mandric commented on GitHub (Mar 4, 2013): I vote for separate settings option to include username/password for HTTP basic auth, that is just used on any request when activated. Basic Auth over https is not so horrible.
kerem commented 2026-02-28 01:22:50 +03:00
Author
Owner
Copy link

@eyedol commented on GitHub (Apr 8, 2014):

Basic Auth is now supported.

<!-- gh-comment-id:39804365 --> @eyedol commented on GitHub (Apr 8, 2014): Basic Auth is now supported.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix-local-web-client-ssl-error
473-add-firebase-crash-reporting-support
fix-duplicate-messages
fix-app-crashes
466-add-link-to-privacy-policy
461-fix-multiple-sync-of-a-message
447-upgrade-raiburari
415-remove-read-phone-state-permission
420-dont-log-misleading-mesgs
414-whitelist-causes-dup-sync
410-remove-unused-fields
440-add-support-for-github-templates
364-secret-key-getting-duplicated
gh-pages
legacy-2.x.x
v3.1.1
v3.1.0
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.8.0-rc.1
v2.8.0-beta.1
v2.8.0-alpha.3
v2.8.0-alpha.2
v2.8.0-alpha.1
v2.7.3
v2.7.2
v2.7.1
v2.7
v2.6.1
v2.6
v2.5.1
v2.5
v2.4
v2.4-alpha-3
v2.4-alpha-2
v2.4-alpha-1
v2.3
v2.0.2
v2.0.1
v2.0.0
v1.1.9
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0
Labels
Clear labels   
Bug report

   
Code improvement

   
Concern

   
Feature request

   
Feature request

   
Good first issue to work on

   
In progress

   
Needs info

   
Question

   
Ready

   
Translation

   
User Experience

   
User Experience

   
Website

   
pull-request

Mirrored from GitHub Pull Request

No labels
Bug report
Code improvement
Concern
Feature request
Feature request
Good first issue to work on
In progress
Needs info
Question
Ready
Translation
User Experience
User Experience
Website
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/SMSSync#25
No description provided.