Security?

[marks]

This is very cool, do not get me wrong. I would warn people who choose to use your hosted version that their fitbit data will be available to the public.

1. It looks like your user_id is the same as the identifier Fitbit assigns users
2. If you know someone's Fitbit-assigned ID, you can go to http://fitboard.me/dash/<user_id> to see their stats (assuming they have authorized Fitboard.me.

Not a huge issue, but you may want to think about adding a warning and/or including some sort of authenticity token to secure people's data better.

[ctaloi]

Hey Marks - Point taken.

I struggled with how to best handle the user_id issue, I tried using a hash or obfuscating the user_id string but kept running into complications with passing the URL to Statusboard and how to prevent a users session from expiring and presenting a failed login message in Statusboard. An obfuscated string in the URL would have only as much security as the user_id string albeit longer. The user can revoke access once authenticated via Fitbit which purges the user_id from the db.

I should revisit this, and your correct - in the short term I should disclose this on the about page.

[marks]

@ctaloi Thanks for being receptive to feedback! I look forward to keeping an eye on this project. You may or may not be interested in some of the work my computer (socialhealthinsights.com) did for designing a PHR (personal health record) of the future: http://hdc.socialhealthinsights.com/future