Increasing SteemConnect security

in utopian-io •  5 months ago

Hello Steem developers and SteemConnect users,

Project: SteemConnect, Pull Request

This PR is about increasing security of SteemConnect apps by adding a server IPs restriction.

Please type in this field the IPs of your servers that will be allowed to use SteemConnect API refresh token calls. When using an refresh token, we'll now check the app linked to this token and check if the server where the request is coming from is allowed.

You can leave this field blank but I don't recommend it especially if you're app is running in production and using offline access.

This security layer will prevent stolen tokens from being used on a server that you don't control. But this we not stop malicious code from being executed from your server. That is your responsibility.

Lastly if you're the owner of an app please take the time to increase your app security. Below is the list of all app owner that we know. If you find your name that means you own an app. So please take the time to update your app if it's running in production.

App's owner list:

@aaronteng, @abhishekvaid, @adoelesteem, @air-clinic, @airhawk-exchange, @akintunde, @alaingold, @alexverge, @aley, @anarcotech, @andreistalker, @andrekweku, @andybets, @aneilpatel, @anonycoin, @ansek, @anthonyadavisii, @aquacy, @arsteem, @asbear, @asgarth, @azaanwrites, @azarus, @bennierex, @betel, @biddle, @binjeeclick, @binkley, @birdinc, @blockchan, @bloque64, @bostrot, @br3adina7or, @cadawg, @callahan, @cdhexx, @cha0s0000, @christianjombo, @clevershovel, @cloh76, @codewithcheese, @comsamo, @creative-commons, @crowdini, @crypticwyrm, @cryptocrusaders, @cryptogecko, @cryptosharon, @crypto.talk, @cryptouru, @damaera, @darkflame, @debraycodes, @decebal2dac, @decentmemes, @deimus, @demotruk, @dgames, @dhealth, @disregardfiat, @doctor.fish, @doctorvee, @doreami93, @dpornco, @dragosroua, @dunite, @dwarrilow2002, @eastmael, @eddy-ghost, @elegance, @emrebeyler, @enki74, @ercu, @eternittyyy, @ety001, @ewq, @excitedntl, @fabien, @feekayo, @fel1xw, @fervi, @firedream, @fode, @franky4dita, @franticich, @freetissues, @funnyman, @gameland, @gangze, @gentlemanoi, @geronimo, @gktown, @gokulnk, @good-karma, @gregory.latinier, @guix77, @hakancelik, @harjuky, @harpagon, @heimindanger, @helo, @heriadi, @hernandev, @hightouch, @howo, @hoxly, @hrock, @hsynterkr, @hui.zhao, @hyperspaceonline, @iamankit, @icaro, @idlebright, @igster, @iguazi123, @ikidnapmyself, @imlikett, @inertia, @institute, @jacobyu, @jakipatryk, @jakipatryk-dev, @jalasem, @jamzed, @jefft, @jefpatat, @jeonghckr7, @jes2850, @jestemkioskiem, @jlebrijo, @jm90mm, @jmsofarelli, @jnmarteau, @johnesan, @jrawsthorne, @juicer, @jungs, @justinadams, @kellyjanderson, @kennybll, @kirkins, @kizzbonez, @klye, @knowledges, @koinbot, @kryptonia, @kwlvarun, @kws4679, @lanmower, @leap8, @leebs1986, @letseat, @leventsane, @lightproject, @lopezdacruz, @lrmedia, @mafouani, @mahdiyari, @markangeltrueman, @martibis, @maxg, @maxse, @mburakolgun, @memeit.lol, @minnowhelperteam, @mkt, @modenacook, @moonrise, @morning, @mowilimi, @mungprik, @mys, @nareshbalaji, @newmoney32601, @nhj12311, @nicniezgrublem, @nikema, @nirgf, @nnnarvaez, @noisy2, @notaku, @ocdb, @okc, @olegn, @olo2552, @omeratagun, @orine, @oroger, @oudekaas, @oups, @overmedia, @pankajwahane, @paolobeneforti, @peerquery, @peneinc, @perduta, @pharesim, @planetenamek, @pranishg, @precise.bot, @predictev, @prenaio, @profchydon, @programminghub, @purec, @puzzledbytheweb, @qny37, @r351574nc3, @ragepeanut, @rahulsps, @ranamuneeb, @reazuliqbal, @recrack, @reggaemuffin, @resteemable, @revo, @rileyge, @rishi556, @robin-maki, @robinron, @ryanli827, @sahidmiller, @sailei1, @sakujo, @salajro, @sambillingham, @samrg472, @schererf, @scorum.community, @scottweston, @sdavignon, @sean0010, @sedatyildiz, @segyepark, @selected, @senku, @sevenfingers, @shango, @shaunmza, @shiningpil, @sidibeat, @sigmundfreud, @sircork, @sjworld, @skenan, @sly13, @smartsteem, @smjn, @snwolak, @soulast, @spmarkets, @steem4keys, @steemalien, @steemanswer, @steemcreate, @steemcurve, @steemdesk, @steemfair, @steemgigs, @steemhelper.com, @steemhunt, @steemic, @steemit-casino, @steemitgame.dev, @steemit.lol, @steemiz, @steempedia.com, @steempostitalia, @steempunknet, @steemraise, @steemvids, @stoodkev, @supahefty, @supergamer, @svosse, @sweever, @syedumair, @talhasch, @taskmanager, @tasteem, @t-bot, @techchat, @tensor, @testbed, @tevo200, @theoldnavy, @thiagosouza, @thornaci, @timothy-mee, @tonychch, @touhidalam69, @tpdns90321, @tray, @twittertipper, @ubg, @ukuleletutorials, @upheaver, @upmewhale, @utopian-io, @vallesleoruther, @vhinojosa, @walnut1, @wehmoen, @wonki33, @wordchase, @x30, @yabapmatt, @yulem, @zakiii, @zemso, @zenkly, @zombee, @zonguin, @zygibo

If you have any questions or concerns feel free to discuss it with us on our discord channel.

Don't forget to follow us @busy.org and use our platform https://busy.org if you like our work! You can help us too by voting for our witness here: @busy.witness

Thanks for reading!

Greg from the @busy.org team

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

I'm on steemconnect right now but the option isn't there.

And how can I completly disable this feature of refresh tokens for my app ? I believe my users will be happier this way.

·

wil be an great project.

·

We should push in prod today or tomorrow. To disable this simply don't ask for offline access. Only refresh tokens are concerned

·
·

Would be even more secure if we could specify available scopes for the app in the dashboard.

·

In the documentation there is mentioned, that refresh token (and OAuth2 code flow) is enabled only, when user agree for na 'offline' scope - does it work in different way?

·

good job mr

·

i need secure ..

Great job gregory!

Please don't tag me unnecessarily -.-

·

I'm sorry but you're the owner of theses apps: dporn.app, steemalerts, utopian.tools, yt2ipfs. So if any of them is using refresh tokens please consider using the IP filter

Thanks for this update... just to be sure, this will affect only the refresh token calls, everything else will continue working without IP restrictions?

·

Yes only when the server ask an access token using a refresh token.
If an app doesn't require offline access you're not concerned

·
·

Perfect, thanks ;)

Congratulations @gregory.latinier! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - The semi-finals are coming. Be ready!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Thanks for idea.this information helps steemians

will be a big projec

Congratulations @gregory.latinier! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments received
Award for the number of comments

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - Final results coming soon

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Changes are now in production. Sorry for the delay!

Thanks for this update......

Hey @gregory.latinier

Congratulations! Your contribution was Staff Picked to receive a maximal vote for the development category on Utopian for being of significant value to the project and the open source community.

We're already looking forward to your next contribution!

Contributing on Utopian

Learn how to contribute on our website or by watching this tutorial on Youtube.

Utopian Witness!

Vote for Utopian Witness! We are made of developers, system administrators, entrepreneurs, artists, content creators, thinkers. We embrace every nationality, mindset and belief.

Want to chat? Join us on Discord https://discord.gg/h52nFrV

·

good to see this, nice work guys!

Thanks for the contribution. It has been approved.


Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]

Nice. 👍👍👍

Shoutout @gregory.latinier. Nice leadership move over there.. This is the kind of team play we need..

Great information , Thank you

Will this is more interesting to me., Ive been using busy.org sence was my account approved by steemit. This is veey good and I am appreciate this post thank you so much busy.org teams.

Very nice security addition.

Congratulations @gregory.latinier!
Your post was mentioned in the Steemit Hit Parade in the following category:

  • Pending payout - Ranked 7 with $ 364,32

Heard utopian is no more available

Wow.. nice updates.

Thanks for making Steemconnect more secure.

I just created a new app on Steemconnect and noticed that the save button in the edit section is not working anymore when the Allowed IPs section​ is left blank.

You can leave this field blank but I don't recommend it especially if you're app is running in production and using offline access.

Unfortunately, leaving the Allowed IPs section empty is not working. I opened an issue on GitHub.

Hopefully, you can help me with a question I have, because I am kind of stuck here. I am building a mobile app without a server. What am I supposed to enter in the Allowed IPs section?

Congratulations @gregory.latinier! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your Board of Honor.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last announcement from @steemitboard!

Do you like SteemitBoard's project? Vote for its witness and get one more award!

This is called great news and wonderful innovation because to provide security to the users for their apps is considered difficult job..
Every user to be safe from anything which he cannot tolerate such a amazing thing will help him out..
Thanks for sharing such a special post..

Great job gregory!

sir @gregory.latinier