Fitboard
Fitboard copied to clipboard
Security?
This is very cool, do not get me wrong. I would warn people who choose to use your hosted version that their fitbit data will be available to the public.
- It looks like your
user_id
is the same as the identifier Fitbit assigns users - If you know someone's Fitbit-assigned ID, you can go to
http://fitboard.me/dash/<user_id>
to see their stats (assuming they have authorized Fitboard.me.
Not a huge issue, but you may want to think about adding a warning and/or including some sort of authenticity token to secure people's data better.
Hey Marks - Point taken.
I struggled with how to best handle the user_id issue, I tried using a hash or obfuscating the user_id string but kept running into complications with passing the URL to Statusboard and how to prevent a users session from expiring and presenting a failed login message in Statusboard. An obfuscated string in the URL would have only as much security as the user_id string albeit longer. The user can revoke access once authenticated via Fitbit which purges the user_id from the db.
I should revisit this, and your correct - in the short term I should disclose this on the about page.
@ctaloi Thanks for being receptive to feedback! I look forward to keeping an eye on this project. You may or may not be interested in some of the work my computer (socialhealthinsights.com) did for designing a PHR (personal health record) of the future: http://hdc.socialhealthinsights.com/future