App is being Hacked!

Tue Nov 11, 2014 2:42 am

Yurii,

Do you know of a tutorial/documentation for hiding the "db id"?

How should I prevent a hacker from using the proxy to access the collections?

I cant really use ACL and secure collections because anyone can essentially create an "account" and once the have an account they would have a session token, and for ACL I need a collection of "Administrators" to be able to edit all the collection information as well as the specific user.

I am trying to figure out a way to fix all of this before I publish my app again because the hackers ruined the app pretty bad once they got into it.

Your help is greatly appreciated and thank you for your time!

Tue Nov 11, 2014 11:10 pm

Hi Russ,

ACL field in item - can fully determine access level.. How can read and how can write into this item.

Unfortunatly there is no groups in appery.io ACL yet.

But you can create "server script" proxy.

This proxy will:

Receive "userId" and "token".
Verify "token" by getting user details.
Get from user details "role" collumn. And define if this user has access to this requested collection and action in accordance to this server script ACL.
If user has access - make request to know DB id.

If you willing to implement it you can read more about server script here:
http://devcenter.appery.io/documentat...

Regards.