Security ideas for javascript SDK

76 views
Skip to first unread message

Nick

unread,
Oct 29, 2015, 1:46:59 PM10/29/15
to Keen IO Community
Hi all—

Love the product so far. After working with the javascript SDK for a week, I had a couple ideas to share for making the API Key more secure.

I ran into an issue where I needed to access a particular data object using only frontend javascript (client's website does not allow server access...it's a squarespace/wix type of env). In order to query the data, I of course had to use my "Read" API key. Unfortunately using that key gives access to any data in that project to anyone who's savvy enough to view source and grab the key.

So I explored creating a Scoped Key as well, but that only works if you want to limit a user to a specific set of data that's filtered using a specific set of parameters. This is a great feature, except there's no way to limit the *amount* of data that they can access. My data is coming from Stripe, so one event contains quite a bit of sensitive information.

Anyways, I'm not sure how many others use Keen in a similar environment, but I had two ideas that would help secure the API key.
  1. Add the ability to restrict API requests to specific IP addresses or domains. That way I'd have to "allow" a particular website to make requests...and any that aren't allowed would just be rejected.
  2. Add the ability to only query specific data objects with a Scoped Key...OR only allow a specific query to be run. That way a Scoped Key would be limiting both events, and the specific data objects within those events. OR it would only allow a "sum" (for example) operation to be run...instead of an "extract" operation.
Just a thought! Thanks.

Joseph Wegner

unread,
Oct 29, 2015, 2:27:53 PM10/29/15
to Nick, Keen IO Community
Hey NIck!

Funny you should mention it; we are actively discussing a new version of scoped keys, and the spec so far solves all of these problems!

It's a ways out (no dev has started - we're still mapping out what we want), but it's definitely in the works.

Thanks for the feedback! I'm gonna make sure our product people see this, so we can apply some more priority to these features.

Take care,
Joe Wegner

John Pelsang

unread,
Jun 28, 2016, 6:27:07 PM6/28/16
to Keen IO Community
You need a mutating browser signature graph.

Taylor Barnett

unread,
Jul 25, 2016, 5:15:25 PM7/25/16
to Keen IO Community
I just wanted to post a short note on this thread:

We now have Custom API Keys that have some of the features suggested: https://keen.io/docs/api/#custom-api-keys Yay! :D 

-Taylor

ni...@nickdownsdesign.com

unread,
Jul 25, 2016, 8:10:47 PM7/25/16
to Taylor Barnett, Keen IO Community
YUSSSSS

This is a great solution. Nice work guys!! I look forward to implementing this.

And thank you for following up!

Best,
Nick Downs
UI Designer
Reply all
Reply to author
Forward
0 new messages