Professional Documents
Culture Documents
How to ensure that only the desired App could use an Access Token?
As Ugolini suggested, there is at least one way to protect against the use of
stolen tokens.
To do that, we need to Sign the request, it is a pattern from OAuth and twitter
has some examples.
Related Material:
https://dev.twitter.com/oauth/overview/authorizing-requests
https://dev.twitter.com/oauth/overview/creating-signatures
https://oauth1.wp-api.org/docs/basics/Signing.html
My Considerations:
Both Instagram & Facebook uses 1 hour periods, I think it doesn't fit for us,
because
they can handle and wait for longer times without affect the system, we don't.
We need to detect the attacker faster, otherwise we might face one hour of lag
prior
to stop it, maybe 1 or 5 minutes periods.