FilePicker: Anyone can use unregistered Email Address

  • Profile Image
    Welvin
    Asked on July 10, 2013 at 11:59 AM

    Original Concern from Markashton:

    Anyone can add FilePicker and use any UNREGISTERED Email Address from the Setup Area. Someone should supposed to create an account first before they can integrate FilePicker.

     

    Thanks

  • Profile Image
    kenneth
    Answered on July 10, 2013 at 12:53 PM

    For some reason after I inspect how jotform gets api key from InkFilePicker using email. It always return a random apiKey whether its a registered email or not.

    I think these problems were already existed on InkFilePicker's end or maybe they have some other reasons behind why they leave it like that.

    For now I will consider not to enter email address anymore but rather just enter a valid API key and if they have none, we will require them to create especially if they are going to use the S3 bucket feature.

    Thanks for reporting,
    Kenneth 

  • Profile Image
    markashton
    Answered on July 10, 2013 at 03:54 PM

    Ken,

    Is it definitely a random API key ... and not a jotform specific one?

    I have a form here: http://form.jotform.co/form/31894288736874

    I just added the email test@test.com ... generated an API key that is not mine ... 

    I do a form submission ... it uploads the file fine ... the file is accessible via submissions

    What's going on there? Is it Inkfilepicker's end then? Just letting accounts be generated from duff email addresses?

    Yeah ... I'd change that as you mentioned above to the API key method of identification

    Thanks Mark

  • Profile Image
    Welvin
    Answered on July 10, 2013 at 06:26 PM

    Hi Mark,

    Yes, this is probably on Inkfilepicker's end. You can use any email address as part of the integration. I have tried this;

    1. Using unregistered Email Address to Filepicker setup

    2. It generates API Keys

    3. You can click "Forgot Password" to Filepicker's website even you're not registered and they will send you a temporary password so you can manage the uploaded files.

    We'll, Kenneth is looking into this. We'll continue to update you with this function. Thanks for your thoughts :)