Trello token security issue?
Question
I'm building an application to send cart to my trello board, but I don't want for users to accept application (for this they must have trello account) instead I created another account ('slave account') and give it read,write permission to my board and generate read,write token that never expires.
On my webpage I include core.js
https://api.trello.com/1/client.js?key=[appkey]&token=[token]
Everything works but... if user checks my code he can see my "app key" and "token".
So my question is:
1. Is this a security problem - visitor can take this app key/token and access bord? (I believe it is)
2. How do I change my code so that visitor of the page doesn't see my app key/token?
thx
1 answers
solution1
2 ACCPTED 2012-11-07 01:43:55
If you are making you token available to people, then yes, there is a potential security issue there - with the key and token, they can issue requests as you for any permissions you have granted on that token. So if you want to create a token with write access to the board, you probably want to keep that on the server side, and have your Javascript submit to your server, which then in turn relays that to the Trello site using the token you generated.
If you are worried that you have revealed a token you did not want to, you can invalidate it at the bottom of your account page at https://trello.com/your/account .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.