We are building a front-end web application based on speckle. The client asked some questions regarding #security of their data that will be stored in the #specklexyz server. So I tried to collect some information but unfortunately I did not find much that could clear my doubts.
How the app works:
I’ve initially followed this guide.
The user lend on the app and authorize the app on speckle using the token exchange the guide suggests.
From now on the app act on behalf of the user and it has read-write permissions.
- The user see all the speckle projects, and he’s asked to choose one.
- The user can download some models from different branches into the app
- The user will interact with these models (they won’t be modified) and create some data
- The user can now save the project and the app does the following:
a. create a dedicated branch on the project if not present
b. create a speckle object and commit the data on the dedicated branch
- The user has now saved it’s work. Next time he choose the same project he can choose (from the dedicated branch) which version of the last saves to load, and continue the project.
Long story short: we are using speckle.xyz as database for the app, saving there the project data as primary cloud storage.
The user is mainly worried about:
- “what if speckle is down?” ( → we can skip this one, since I’m aware that speckle is 99.999% online and reliable)
- “what if I’m hacked and I loose all my work?”
They are not worried about data being stolen (not sensible data really) but mainly being locked out from their data and be blocked on their work.
My “dumby” questions are:
- What happen if someone steal the app access token from the local storage of the laptop of the client?
- What happen if someone steal also the speckle credentials of the user?
- Can a malicious attack encrypt the data of one user on your servers? (This probably not, but I just drop the question…)
- Can a user get back to his account if someone else manage to get in and change password?
- Any best practice to share streams between users to prevent bad thing happening if just one user is hacked?
- Anything else can go possibly wrong?