8000 🐛 Bug Report: No app check · Issue #5653 · appwrite/appwrite · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

🐛 Bug Report: No app check #5653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
shatanikmahanty opened this issue Jun 4, 2023 · 6 comments
Closed
2 tasks done

🐛 Bug Report: No app check #5653

shatanikmahanty opened this issue Jun 4, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@shatanikmahanty
Copy link

👟 Reproduction steps

  • Create a flutter app in console and add package name for android
  • Create android app using different package name in your preferred IDE
  • It will still allow to access appwrite services

👍 Expected behavior

Should not allow access to appwrite if the package name is different from what is registered in console

👎 Actual Behavior

Allows access to cloud resources

🎲 Appwrite version

Appwrite Cloud

💻 Operating system

Windows

🧱 Your Environment

Appwrite Cloud

👀 Have you spent some time to check if this issue has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?
@shatanikmahanty shatanikmahanty added the bug Something isn't working label Jun 4, 2023
@Haimantika
Copy link
Contributor

Thanks for creating this issue @shatanikmahanty. Our team will look into it soon.

@Haimantika
Copy link
Contributor

Hi @shatanikmahanty we checked internally, and it is working as expected. Can you recheck and let me know?

@stnguyen90 stnguyen90 mentioned this issue Jul 22, 2023
Merged
This was referenced Jul 25, 2023
Closed
Closed
Closed
Closed
@shatanikmahanty
Copy link
Author

Hi @Haimantika, was caught up in work, so could not check earlier.

I am still facing the same issue on read data. Writing to database or deleting user session gives me error invalid origin, so they are working.

The current package name in the app: com.codeswipe.app
Package name in cloud console registered app: com.codeswipe.client
image

Reproducible code:
https://github.com/shatanikmahanty/codeswipe

Steps to reproduce:
run commands:

  • flutter pub get
  • dart run build_runner build --delete-conflicting-outputs
  • flutter run

Once app is launched:

  • Go to login page, long tap on CodeSwipe text to toggle env to dev.
  • Login using Google
  • Go to Discover page from app bottom bar (Card icon)
  • You'll see the profiles being listed, which means data is accessible from the database. (But writing data is throwing error invalid origin, app not registered)

@Haimantika
Copy link
Contributor

Hi @Haimantika, was caught up in work, so could not check earlier.

I am still facing the same issue on read data. Writing to database or deleting user session gives me error invalid origin, so they are working.

The current package name in the app: com.codeswipe.app Package name in cloud console registered app: com.codeswipe.client image

Reproducible code: https://github.com/shatanikmahanty/codeswipe

Steps to reproduce: run commands:

  • flutter pub get
  • dart run build_runner build --delete-conflicting-outputs
  • flutter run

Once app is launched:

  • Go to login page, long tap on CodeSwipe text to toggle env to dev.
  • Login using Google
  • Go to Discover page from app bottom bar (Card icon)
  • You'll see the profiles being listed, which means data is accessible from the database. (But writing data is throwing error invalid origin, app not registered)

Hi, so this is an expected behaviour. We validate the origin like how CORS checks are done on the web. it's not meant to fully stop someone from accessing your Appwrite project.

@shatanikmahanty
Copy link
Author

Hi @Haimantika, was caught up in work, so could not check earlier.

I am still facing the same issue on read data. Writing to database or deleting user session gives me error invalid origin, so they are working.

The current package name in the app: com.codeswipe.app Package name in cloud console registered app: com.codeswipe.client image

Reproducible code: https://github.com/shatanikmahanty/codeswipe

Steps to reproduce: run commands:

  • flutter pub get
  • dart run build_runner build --delete-conflicting-outputs
  • flutter run

Once app is launched:

  • Go to login page, long tap on CodeSwipe text to toggle env to dev.
  • Login using Google
  • Go to Discover page from app bottom bar (Card icon)
  • You'll see the profiles being listed, which means data is accessible from the database. (But writing data is throwing error invalid origin, app not registered)

Hi, so this is an expected behaviour. We validate the origin like how CORS checks are done on the web. it's not meant to fully stop someone from accessing your Appwrite project.

Is there a method by which we may secure data read?

@stnguyen90
Copy link
Contributor
stnguyen90 commented Feb 5, 2024
edited
Loading

The best way to secure data is to set permissions to limit access to only authorized users. If you're looking for Play Integrity integration, please add a 👍🏼 to #4791

@stnguyen90 stnguyen90 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stnguyen90 @Haimantika @shatanikmahanty
0