Hello Steem developers and SteemConnect users,
Project: SteemConnect, Pull Request
This PR is about increasing security of SteemConnect apps by adding a server IPs restriction.
Please type in this field the IPs of your servers that will be allowed to use SteemConnect API refresh token calls. When using an refresh token, we'll now check the app linked to this token and check if the server where the request is coming from is allowed.
You can leave this field blank but I don't recommend it especially if you're app is running in production and using offline access.
This security layer will prevent stolen tokens from being used on a server that you don't control. But this we not stop malicious code from being executed from your server. That is your responsibility.
Lastly if you're the owner of an app please take the time to increase your app security. Below is the list of all app owner that we know. If you find your name that means you own an app. So please take the time to update your app if it's running in production.
App's owner list:
@aaronteng, @abhishekvaid, @adoelesteem, @air-clinic, @airhawk-exchange, @akintunde, @alaingold, @alexverge, @aley, @anarcotech, @andreistalker, @andrekweku, @andybets, @aneilpatel, @anonycoin, @ansek, @anthonyadavisii, @aquacy, @arsteem, @asbear, @asgarth, @azaanwrites, @azarus, @bennierex, @betel, @biddle, @binjeeclick, @binkley, @birdinc, @blockchan, @bloque64, @bostrot, @br3adina7or, @cadawg, @callahan, @cdhexx, @cha0s0000, @christianjombo, @clevershovel, @cloh76, @codewithcheese, @comsamo, @creative-commons, @crowdini, @crypticwyrm, @cryptocrusaders, @cryptogecko, @cryptosharon, @crypto.talk, @cryptouru, @damaera, @darkflame, @debraycodes, @decebal2dac, @decentmemes, @deimus, @demotruk, @dgames, @dhealth, @disregardfiat, @doctor.fish, @doctorvee, @doreami93, @dpornco, @dragosroua, @dunite, @dwarrilow2002, @eastmael, @eddy-ghost, @elegance, @emrebeyler, @enki74, @ercu, @eternittyyy, @ety001, @ewq, @excitedntl, @fabien, @feekayo, @fel1xw, @fervi, @firedream, @fode, @franky4dita, @franticich, @freetissues, @funnyman, @gameland, @gangze, @gentlemanoi, @geronimo, @gktown, @gokulnk, @good-karma, @gregory.latinier, @guix77, @hakancelik, @harjuky, @harpagon, @heimindanger, @helo, @heriadi, @hernandev, @hightouch, @howo, @hoxly, @hrock, @hsynterkr, @hui.zhao, @hyperspaceonline, @iamankit, @icaro, @idlebright, @igster, @iguazi123, @ikidnapmyself, @imlikett, @inertia, @institute, @jacobyu, @jakipatryk, @jakipatryk-dev, @jalasem, @jamzed, @jefft, @jefpatat, @jeonghckr7, @jes2850, @jestemkioskiem, @jlebrijo, @jm90mm, @jmsofarelli, @jnmarteau, @johnesan, @jrawsthorne, @juicer, @jungs, @justinadams, @kellyjanderson, @kennybll, @kirkins, @kizzbonez, @klye, @knowledges, @koinbot, @kryptonia, @kwlvarun, @kws4679, @lanmower, @leap8, @leebs1986, @letseat, @leventsane, @lightproject, @lopezdacruz, @lrmedia, @mafouani, @mahdiyari, @markangeltrueman, @martibis, @maxg, @maxse, @mburakolgun, @memeit.lol, @minnowhelperteam, @mkt, @modenacook, @moonrise, @morning, @mowilimi, @mungprik, @mys, @nareshbalaji, @newmoney32601, @nhj12311, @nicniezgrublem, @nikema, @nirgf, @nnnarvaez, @noisy2, @notaku, @ocdb, @okc, @olegn, @olo2552, @omeratagun, @orine, @oroger, @oudekaas, @oups, @overmedia, @pankajwahane, @paolobeneforti, @peerquery, @peneinc, @perduta, @pharesim, @planetenamek, @pranishg, @precise.bot, @predictev, @prenaio, @profchydon, @programminghub, @purec, @puzzledbytheweb, @qny37, @r351574nc3, @ragepeanut, @rahulsps, @ranamuneeb, @reazuliqbal, @recrack, @reggaemuffin, @resteemable, @revo, @rileyge, @rishi556, @robin-maki, @robinron, @ryanli827, @sahidmiller, @sailei1, @sakujo, @salajro, @sambillingham, @samrg472, @schererf, @scorum.community, @scottweston, @sdavignon, @sean0010, @sedatyildiz, @segyepark, @selected, @senku, @sevenfingers, @shango, @shaunmza, @shiningpil, @sidibeat, @sigmundfreud, @sircork, @sjworld, @skenan, @sly13, @smartsteem, @smjn, @snwolak, @soulast, @spmarkets, @steem4keys, @steemalien, @steemanswer, @steemcreate, @steemcurve, @steemdesk, @steemfair, @steemgigs, @steemhelper.com, @steemhunt, @steemic, @steemit-casino, @steemitgame.dev, @steemit.lol, @steemiz, @steempedia.com, @steempostitalia, @steempunknet, @steemraise, @steemvids, @stoodkev, @supahefty, @supergamer, @svosse, @sweever, @syedumair, @talhasch, @taskmanager, @tasteem, @t-bot, @techchat, @tensor, @testbed, @tevo200, @theoldnavy, @thiagosouza, @thornaci, @timothy-mee, @tonychch, @touhidalam69, @tpdns90321, @tray, @twittertipper, @ubg, @ukuleletutorials, @upheaver, @upmewhale, @utopian-io, @vallesleoruther, @vhinojosa, @walnut1, @wehmoen, @wonki33, @wordchase, @x30, @yabapmatt, @yulem, @zakiii, @zemso, @zenkly, @zombee, @zonguin, @zygibo
If you have any questions or concerns feel free to discuss it with us on our discord channel.
Don't forget to follow us @busy.org and use our platform https://busy.org if you like our work! You can help us too by voting for our witness here: @busy.witness
Thanks for reading!
Greg from the @busy.org team
Great job gregory!
I'm sorry but you're the owner of theses apps: dporn.app, steemalerts, utopian.tools, yt2ipfs. So if any of them is using refresh tokens please consider using the IP filter
Hy all I just started to giveaway SBD on MY BLOG Check to participate
thanks sending dollers
Thanks for idea.this information helps steemians
Changes are now in production. Sorry for the delay!
Thanks for this update... just to be sure, this will affect only the refresh token calls, everything else will continue working without IP restrictions?
Yes only when the server ask an access token using a refresh token.
If an app doesn't require offline access you're not concerned
Perfect, thanks ;)
Heard utopian is no more available
Shoutout @gregory.latinier. Nice leadership move over there.. This is the kind of team play we need..
Thanks for this update......
good to see this, nice work guys!
Great information , Thank you
Good job....
This is called great news and wonderful innovation because to provide security to the users for their apps is considered difficult job..
Every user to be safe from anything which he cannot tolerate such a amazing thing will help him out..
Thanks for sharing such a special post..
Nice. 👍👍👍
Hey @gregory.latinier
Congratulations! Your contribution was Staff Picked to receive a maximal vote for the development category on Utopian for being of significant value to the project and the open source community.
We're already looking forward to your next contribution!
Contributing on Utopian
Learn how to contribute on our website or by watching this tutorial on Youtube.
Utopian Witness!
Vote for Utopian Witness! We are made of developers, system administrators, entrepreneurs, artists, content creators, thinkers. We embrace every nationality, mindset and belief.
Want to chat? Join us on Discord https://discord.gg/h52nFrV
Great job sir @utopian-io
Thanks for the contribution. It has been approved.
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
Great job gregory!
sir @gregory.latinier
Will this is more interesting to me., Ive been using busy.org sence was my account approved by steemit. This is veey good and I am appreciate this post thank you so much busy.org teams.
Very nice security addition.
It seems like everyone is trying to improve steemconnect security somehow: https://steemit.com/utopian-io/@cryptohazard/suggestions-for-steemconnect-add-security-design-information-and-good-practice
Congratulations @gregory.latinier!
Your post was mentioned in the Steemit Hit Parade in the following category:
Wow.. nice updates.
Thanks for making Steemconnect more secure.
I just created a new app on Steemconnect and noticed that the save button in the edit section is not working anymore when the Allowed IPs section is left blank.
Unfortunately, leaving the Allowed IPs section empty is not working. I opened an issue on GitHub.
Hopefully, you can help me with a question I have, because I am kind of stuck here. I am building a mobile app without a server. What am I supposed to enter in the Allowed IPs section?
Congratulations @gregory.latinier! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your Board of Honor.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPDo not miss the last announcement from @steemitboard!
will be a big projec
Congratulations @gregory.latinier! You have received a personal award!
Click on the badge to view your Board of Honor.
Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - The semi-finals are coming. Be ready!
Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes
Congratulations @gregory.latinier! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOPDo not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - Final results coming soon
Why should someone care about this? Nice try to make this piece of crap more secure
We are simply reacting to utopian hack and your threats ;)
Okay than its a good thing! Really.
The easy wins, common sense approaches with security are a big help. Don't underestimate your work.
Great work on the patch - do you know when it will go live ? I see it merged into master but I don't see the ip address option when I try to edit steemvids.app . Revoked all tokens anyway just in case.
Now it's live if you clear your cache you should be able to see it and use it.
Thanks fabien, I've added ips now :)
wil be an great project.
We should push in prod today or tomorrow. To disable this simply don't ask for offline access. Only refresh tokens are concerned
Would be even more secure if we could specify available scopes for the app in the dashboard.
In the documentation there is mentioned, that refresh token (and OAuth2 code flow) is enabled only, when user agree for na 'offline' scope - does it work in different way?
good job mr
i need secure ..