Increasing SteemConnect security
Hello Steem developers and SteemConnect users,
Project: SteemConnect, Pull Request
This PR is about increasing security of SteemConnect apps by adding a server IPs restriction.
Please type in this field the IPs of your servers that will be allowed to use SteemConnect API refresh token calls. When using an refresh token, we'll now check the app linked to this token and check if the server where the request is coming from is allowed.
You can leave this field blank but I don't recommend it especially if you're app is running in production and using offline access.
This security layer will prevent stolen tokens from being used on a server that you don't control. But this we not stop malicious code from being executed from your server. That is your responsibility.
Lastly if you're the owner of an app please take the time to increase your app security. Below is the list of all app owner that we know. If you find your name that means you own an app. So please take the time to update your app if it's running in production.
App's owner list:
@aaronteng, @abhishekvaid, @adoelesteem, @air-clinic, @airhawk-exchange, @akintunde, @alaingold, @alexverge, @aley, @anarcotech, @andreistalker, @andrekweku, @andybets, @aneilpatel, @anonycoin, @ansek, @anthonyadavisii, @aquacy, @arsteem, @asbear, @asgarth, @azaanwrites, @azarus, @bennierex, @betel, @biddle, @binjeeclick, @binkley, @birdinc, @blockchan, @bloque64, @bostrot, @br3adina7or, @cadawg, @callahan, @cdhexx, @cha0s0000, @christianjombo, @clevershovel, @cloh76, @codewithcheese, @comsamo, @creative-commons, @crowdini, @crypticwyrm, @cryptocrusaders, @cryptogecko, @cryptosharon, @crypto.talk, @cryptouru, @damaera, @darkflame, @debraycodes, @decebal2dac, @decentmemes, @deimus, @demotruk, @dgames, @dhealth, @disregardfiat, @doctor.fish, @doctorvee, @doreami93, @dpornco, @dragosroua, @dunite, @dwarrilow2002, @eastmael, @eddy-ghost, @elegance, @emrebeyler, @enki74, @ercu, @eternittyyy, @ety001, @ewq, @excitedntl, @fabien, @feekayo, @fel1xw, @fervi, @firedream, @fode, @franky4dita, @franticich, @freetissues, @funnyman, @gameland, @gangze, @gentlemanoi, @geronimo, @gktown, @gokulnk, @good-karma, @gregory.latinier, @guix77, @hakancelik, @harjuky, @harpagon, @heimindanger, @helo, @heriadi, @hernandev, @hightouch, @howo, @hoxly, @hrock, @hsynterkr, @hui.zhao, @hyperspaceonline, @iamankit, @icaro, @idlebright, @igster, @iguazi123, @ikidnapmyself, @imlikett, @inertia, @institute, @jacobyu, @jakipatryk, @jakipatryk-dev, @jalasem, @jamzed, @jefft, @jefpatat, @jeonghckr7, @jes2850, @jestemkioskiem, @jlebrijo, @jm90mm, @jmsofarelli, @jnmarteau, @johnesan, @jrawsthorne, @juicer, @jungs, @justinadams, @kellyjanderson, @kennybll, @kirkins, @kizzbonez, @klye, @knowledges, @koinbot, @kryptonia, @kwlvarun, @kws4679, @lanmower, @leap8, @leebs1986, @letseat, @leventsane, @lightproject, @lopezdacruz, @lrmedia, @mafouani, @mahdiyari, @markangeltrueman, @martibis, @maxg, @maxse, @mburakolgun, @memeit.lol, @minnowhelperteam, @mkt, @modenacook, @moonrise, @morning, @mowilimi, @mungprik, @mys, @nareshbalaji, @newmoney32601, @nhj12311, @nicniezgrublem, @nikema, @nirgf, @nnnarvaez, @noisy2, @notaku, @ocdb, @okc, @olegn, @olo2552, @omeratagun, @orine, @oroger, @oudekaas, @oups, @overmedia, @pankajwahane, @paolobeneforti, @peerquery, @peneinc, @perduta, @pharesim, @planetenamek, @pranishg, @precise.bot, @predictev, @prenaio, @profchydon, @programminghub, @purec, @puzzledbytheweb, @qny37, @r351574nc3, @ragepeanut, @rahulsps, @ranamuneeb, @reazuliqbal, @recrack, @reggaemuffin, @resteemable, @revo, @rileyge, @rishi556, @robin-maki, @robinron, @ryanli827, @sahidmiller, @sailei1, @sakujo, @salajro, @sambillingham, @samrg472, @schererf, @scorum.community, @scottweston, @sdavignon, @sean0010, @sedatyildiz, @segyepark, @selected, @senku, @sevenfingers, @shango, @shaunmza, @shiningpil, @sidibeat, @sigmundfreud, @sircork, @sjworld, @skenan, @sly13, @smartsteem, @smjn, @snwolak, @soulast, @spmarkets, @steem4keys, @steemalien, @steemanswer, @steemcreate, @steemcurve, @steemdesk, @steemfair, @steemgigs, @steemhelper.com, @steemhunt, @steemic, @steemit-casino, @steemitgame.dev, @steemit.lol, @steemiz, @steempedia.com, @steempostitalia, @steempunknet, @steemraise, @steemvids, @stoodkev, @supahefty, @supergamer, @svosse, @sweever, @syedumair, @talhasch, @taskmanager, @tasteem, @t-bot, @techchat, @tensor, @testbed, @tevo200, @theoldnavy, @thiagosouza, @thornaci, @timothy-mee, @tonychch, @touhidalam69, @tpdns90321, @tray, @twittertipper, @ubg, @ukuleletutorials, @upheaver, @upmewhale, @utopian-io, @vallesleoruther, @vhinojosa, @walnut1, @wehmoen, @wonki33, @wordchase, @x30, @yabapmatt, @yulem, @zakiii, @zemso, @zenkly, @zombee, @zonguin, @zygibo
If you have any questions or concerns feel free to discuss it with us on our discord channel.
Don't forget to follow us @busy.org and use our platform https://busy.org if you like our work! You can help us too by voting for our witness here: @busy.witness
Thanks for reading!
Greg from the @busy.org team
I'm on steemconnect right now but the option isn't there.
And how can I completly disable this feature of refresh tokens for my app ? I believe my users will be happier this way.
wil be an great project.
We should push in prod today or tomorrow. To disable this simply don't ask for offline access. Only refresh tokens are concerned
Would be even more secure if we could specify available scopes for the app in the dashboard.
In the documentation there is mentioned, that refresh token (and OAuth2 code flow) is enabled only, when user agree for na 'offline' scope - does it work in different way?
good job mr
i need secure ..
Great job gregory!
I'm sorry but you're the owner of theses apps: dporn.app, steemalerts, utopian.tools, yt2ipfs. So if any of them is using refresh tokens please consider using the IP filter
Hy all I just started to giveaway SBD on MY BLOG Check to participate
thanks sending dollers
Thanks for idea.this information helps steemians
Changes are now in production. Sorry for the delay!
Thanks for this update... just to be sure, this will affect only the refresh token calls, everything else will continue working without IP restrictions?
Yes only when the server ask an access token using a refresh token.
If an app doesn't require offline access you're not concerned
Perfect, thanks ;)
Heard utopian is no more available
Shoutout @gregory.latinier. Nice leadership move over there.. This is the kind of team play we need..