Increasing SteemConnect security

Hello Steem developers and SteemConnect users,

Project: SteemConnect, Pull Request

This PR is about increasing security of SteemConnect apps by adding a server IPs restriction.

Please type in this field the IPs of your servers that will be allowed to use SteemConnect API refresh token calls. When using an refresh token, we'll now check the app linked to this token and check if the server where the request is coming from is allowed.

You can leave this field blank but I don't recommend it especially if you're app is running in production and using offline access.

This security layer will prevent stolen tokens from being used on a server that you don't control. But this we not stop malicious code from being executed from your server. That is your responsibility.

Lastly if you're the owner of an app please take the time to increase your app security. Below is the list of all app owner that we know. If you find your name that means you own an app. So please take the time to update your app if it's running in production.

App's owner list:

@aaronteng, @abhishekvaid, @adoelesteem, @air-clinic, @airhawk-exchange, @akintunde, @alaingold, @alexverge, @aley, @anarcotech, @andreistalker, @andrekweku, @andybets, @aneilpatel, @anonycoin, @ansek, @anthonyadavisii, @aquacy, @arsteem, @asbear, @asgarth, @azaanwrites, @azarus, @bennierex, @betel, @biddle, @binjeeclick, @binkley, @birdinc, @blockchan, @bloque64, @bostrot, @br3adina7or, @cadawg, @callahan, @cdhexx, @cha0s0000, @christianjombo, @clevershovel, @cloh76, @codewithcheese, @comsamo, @creative-commons, @crowdini, @crypticwyrm, @cryptocrusaders, @cryptogecko, @cryptosharon, @crypto.talk, @cryptouru, @damaera, @darkflame, @debraycodes, @decebal2dac, @decentmemes, @deimus, @demotruk, @dgames, @dhealth, @disregardfiat, @doctor.fish, @doctorvee, @doreami93, @dpornco, @dragosroua, @dunite, @dwarrilow2002, @eastmael, @eddy-ghost, @elegance, @emrebeyler, @enki74, @ercu, @eternittyyy, @ety001, @ewq, @excitedntl, @fabien, @feekayo, @fel1xw, @fervi, @firedream, @fode, @franky4dita, @franticich, @freetissues, @funnyman, @gameland, @gangze, @gentlemanoi, @geronimo, @gktown, @gokulnk, @good-karma, @gregory.latinier, @guix77, @hakancelik, @harjuky, @harpagon, @heimindanger, @helo, @heriadi, @hernandev, @hightouch, @howo, @hoxly, @hrock, @hsynterkr, @hui.zhao, @hyperspaceonline, @iamankit, @icaro, @idlebright, @igster, @iguazi123, @ikidnapmyself, @imlikett, @inertia, @institute, @jacobyu, @jakipatryk, @jakipatryk-dev, @jalasem, @jamzed, @jefft, @jefpatat, @jeonghckr7, @jes2850, @jestemkioskiem, @jlebrijo, @jm90mm, @jmsofarelli, @jnmarteau, @johnesan, @jrawsthorne, @juicer, @jungs, @justinadams, @kellyjanderson, @kennybll, @kirkins, @kizzbonez, @klye, @knowledges, @koinbot, @kryptonia, @kwlvarun, @kws4679, @lanmower, @leap8, @leebs1986, @letseat, @leventsane, @lightproject, @lopezdacruz, @lrmedia, @mafouani, @mahdiyari, @markangeltrueman, @martibis, @maxg, @maxse, @mburakolgun, @memeit.lol, @minnowhelperteam, @mkt, @modenacook, @moonrise, @morning, @mowilimi, @mungprik, @mys, @nareshbalaji, @newmoney32601, @nhj12311, @nicniezgrublem, @nikema, @nirgf, @nnnarvaez, @noisy2, @notaku, @ocdb, @okc, @olegn, @olo2552, @omeratagun, @orine, @oroger, @oudekaas, @oups, @overmedia, @pankajwahane, @paolobeneforti, @peerquery, @peneinc, @perduta, @pharesim, @planetenamek, @pranishg, @precise.bot, @predictev, @prenaio, @profchydon, @programminghub, @purec, @puzzledbytheweb, @qny37, @r351574nc3, @ragepeanut, @rahulsps, @ranamuneeb, @reazuliqbal, @recrack, @reggaemuffin, @resteemable, @revo, @rileyge, @rishi556, @robin-maki, @robinron, @ryanli827, @sahidmiller, @sailei1, @sakujo, @salajro, @sambillingham, @samrg472, @schererf, @scorum.community, @scottweston, @sdavignon, @sean0010, @sedatyildiz, @segyepark, @selected, @senku, @sevenfingers, @shango, @shaunmza, @shiningpil, @sidibeat, @sigmundfreud, @sircork, @sjworld, @skenan, @sly13, @smartsteem, @smjn, @snwolak, @soulast, @spmarkets, @steem4keys, @steemalien, @steemanswer, @steemcreate, @steemcurve, @steemdesk, @steemfair, @steemgigs, @steemhelper.com, @steemhunt, @steemic, @steemit-casino, @steemitgame.dev, @steemit.lol, @steemiz, @steempedia.com, @steempostitalia, @steempunknet, @steemraise, @steemvids, @stoodkev, @supahefty, @supergamer, @svosse, @sweever, @syedumair, @talhasch, @taskmanager, @tasteem, @t-bot, @techchat, @tensor, @testbed, @tevo200, @theoldnavy, @thiagosouza, @thornaci, @timothy-mee, @tonychch, @touhidalam69, @tpdns90321, @tray, @twittertipper, @ubg, @ukuleletutorials, @upheaver, @upmewhale, @utopian-io, @vallesleoruther, @vhinojosa, @walnut1, @wehmoen, @wonki33, @wordchase, @x30, @yabapmatt, @yulem, @zakiii, @zemso, @zenkly, @zombee, @zonguin, @zygibo

If you have any questions or concerns feel free to discuss it with us on our discord channel.

Don't forget to follow us @busy.org and use our platform https://busy.org if you like our work! You can help us too by voting for our witness here: @busy.witness

Thanks for reading!

Greg from the @busy.org team

Sort:  

I'm on steemconnect right now but the option isn't there.

And how can I completly disable this feature of refresh tokens for my app ? I believe my users will be happier this way.

wil be an great project.

We should push in prod today or tomorrow. To disable this simply don't ask for offline access. Only refresh tokens are concerned

Would be even more secure if we could specify available scopes for the app in the dashboard.

In the documentation there is mentioned, that refresh token (and OAuth2 code flow) is enabled only, when user agree for na 'offline' scope - does it work in different way?

good job mr

i need secure ..

I'm sorry but you're the owner of theses apps: dporn.app, steemalerts, utopian.tools, yt2ipfs. So if any of them is using refresh tokens please consider using the IP filter

Hy all I just started to giveaway SBD on MY BLOG Check to participate

thanks sending dollers

Thanks for idea.this information helps steemians

Changes are now in production. Sorry for the delay!

Thanks for this update... just to be sure, this will affect only the refresh token calls, everything else will continue working without IP restrictions?

Yes only when the server ask an access token using a refresh token.
If an app doesn't require offline access you're not concerned

Perfect, thanks ;)

Heard utopian is no more available

Shoutout @gregory.latinier. Nice leadership move over there.. This is the kind of team play we need..

Thanks for this update......

Coin Marketplace

STEEM 0.35
TRX 0.12
JST 0.040
BTC 70733.96
ETH 3563.16
USDT 1.00
SBD 4.76