• State Not Answered
  • Replies 12 replies
  • Subscribers 18 subscribers
  • Views 385 views
  • Users 0 members are here
Options
Related

Authentication Key

DaveBrillhart
3 days ago

We generate a random string to use as a way for a SERVER to know who is requesting data using a webConnect.

A user runs a CIQ field which stores their String (saved in persistent storage) as a FIT SESSION string. That string is available to the server once the activity is uploaded. A one time "registration" upload. Until they use another device, or hard reset it, etc... Then they need to do this again since the saved key is gone.

From then on, the server will know that a webConnect using that String is from a specific User. Works great. No Username or Password needed in User Settings. The Authentication method is hidden from the user and no need to maintain User Settings.

One unfortunate thing is that the "key" is visible in their Garmin Connect Activity report. Not a big deal. There isn't anything sensitive about the data the server sends back. Workout Target values, FTP, that kind of thing.

But I don't think there is a way to add a string to a FIT file from a CIQ field that isn't displayed in the Garmin Connect Activity report, right?

  • 0 3 days ago in reply to FlowState

    Yes but in my model the random string is only used once for the connection, and isn't sent/used any more! (actually it's not even necessary to save it in the local storage, as they can be sent to the server, and when the response tells it was saved in the DB then the fit file can be created and the string discarded)

    And if there's this "connection" activity, then the rest of the session (or the activity name for example) can be used to communicate to the user that after it's synced to the website it can be deleted from Garmin Connect.

    BTW the developer will have GDPR issues IMHO...

  • 0 3 days ago in reply to flocsy🤠
    flocsy🤠 said:
    Yes but in my model the random string is only used once for the connection, and isn't sent/used any more!

    Hence what I said: “except for step 4”. I agree that it’s an improvement. But it’s not substantially different than what they’re doing now, and it doesn’t solve their stated problem of not wanting the user to see the random string in the Connect activity page.

    flocsy🤠 said:
    BTW the developer will have GDPR issues IMHO...

    Yes like I said, it’s not exactly ideal from a privacy/security POV.

    If you’re going to explain all of this in your privacy policy (as you should), then it should also not be a problem for the user to see the random string in the activity info. Certainly they would be able to see it if they inspect the FIT file (e.g. using a tool such as fitfileviewer.com).

    Wouldn’t it be worse if the user noticed that a weird random string was hidden in the FIT file, as opposed to having it visible in Connect? The user might think that the dev is trying to pull a fast one on them. Like I said, when I hear about companies trying to track me without my knowledge or consent, I usually don’t think of that as a benefit to me. It’s usually associated with scummy advertising practices and/or malware.

    I think the key is to name it properly: e.g. “one-time authentication token”