restore icon indicating copy to clipboard operation
restore copied to clipboard

Published 20 hours ago verified publisher icon jcoglan

Web access to files

Open entropitor opened this issue 11 years ago • 7 comments
trafficstars

It would be nice if we could login in into restore and look at

  1. The applications that have access to our files (and add a possibility to revoke them).
  2. The files themselves.

entropitor avatar Mar 23 '14 16:03 entropitor

a UI for listing and revoking access tokens is indeed missing from reStore.

for the files themselves you can use export.5apps.com, remotestorage-browser.5apps.com, or a similar app.

michielbdejong avatar Mar 24 '14 03:03 michielbdejong

Sorry I didn't have time to look at this when you posted it.

I think access to files is out of scope, since that can be done using a client application with the root:rw scope.

Administering authorizations is certainly necessary but I think it should possibly be a separate application. Since that would involve using sessions, it would complicate the security considerations of reStore itself, which currently does not use sessions anywhere. And, whereas reStore is implemented on top of the bare Node http module, something with sessions and UI stuff would be easier built on top of something like Express.

Such an application could be built on top of the reStore backend storage engine abstraction as it stands, I believe. Are there any methods we'd need to add to that interface to facilitate an app like this?

jcoglan avatar Mar 05 '15 09:03 jcoglan

It'd be nice if reStore recorded a last-used date on authorization, so a potential interface could automatically revoke old tokens. I think this would be a great UI in addition to grouping authorizations by redirect URI.

untitaker avatar Sep 22 '15 22:09 untitaker

However, I don't think separating the administration interface from the storage engine is a good idea from a user's perspective. Perhaps I am misunderstanding this, but this new application would probably run on a new port? I suspect that would complicate matters for people who run restore behind a reverse proxy (eg myself)

untitaker avatar Sep 22 '15 22:09 untitaker

The admin interface would have to run on a separate port, or if on the same port then at least without CORS headers, to avoid exposing its cookie to applications on other origins, which are allowed to access the API but not the admin interface.

michielbdejong avatar Sep 23 '15 06:09 michielbdejong

Is there a security problem in just sending different/no CORS headers for the OAuth and admin paths?

untitaker avatar Sep 23 '15 16:09 untitaker

I think it should be ok, so then you don't need two separate ports! :)

michielbdejong avatar Sep 25 '15 13:09 michielbdejong