Hi all, I'm new to the Cloud and all what it means. I'm planning on connecting to the Parse REST API from an app i'm currently working on. I have tried out this approach: parse tutorial on github and it works fine. What i'm wondering about is the usage of the application key and master key.
On Parse's website they say that: "For security, the master key should not be distributed to end users, but if you are running code in a trusted environment, feel free to use the master key for authentication."
So i'm guessing that using the approach in the source from github is not suited for "production". So, what's the right way of doing this in a safe way? Setting up ACL in Parse.com or passing along application key and rest api key instead (if possible)?
At this point i'm only interested in fetching data from Parse, but later on, there might be a need for saving data as well...
When they say the key should not be distributed to end users. By that, they mean that you shouldn't let then see it. Otherwise, they could re-use this same key in another app and corrupt your cloud data.
But if your application embarks it, this is not an issue since the API keys can;t be seen by the end users.
Hope this clears this up for you.
Okay! So there is now way of getting the keys out of the http request header? I'm just thinking of the worst case scenario here. Looked at the code in github again and saw this:
var authString = Base64.encode(that.applicationId+':'+that.masterKey); xhr.setRequestHeader('Authorization', 'Basic '+authString); xhr.setRequestHeader('Content-Type','application/json');
Thanks for clearing this one out for me.
Think you can help? Login to answer this question!