Does the embedded url for some GroupDocs document have expiration time?

masato.setoyama · January 20, 2017, 6:01am

I’m using Startup Basic Plan, and trying to integrate GroupDocs with our application.

Does the embedded url (like “https://apps.groupdocs.com/document-viewer/embed/xxxxxxxxxxxxxxx?frameborder=‘0’%20width=‘800’%20height=‘600’&signature=yyyyyyyyyy”)

have expiration time?

I think the signature (“yyyyyyyy” in the above example url) has expiration time, but I couldn’t find any information about expiration time in your public document.

So please tell me about the expiration time of embedded url.

If the url has expration time, please tell about the length of the time and whether I can change the length of expiration time.

pavelteplitsky · January 20, 2017, 6:20am

Hi,

Thank you for your interest in GroupDocs. The embed URL and the signature doesn’t have any expiration time. If you will use our Cloud SDK the signature is generated from your Client ID and the Private Key via such method “<span style=“background-color: rgb(245, 245, 255); color: rgb(48, 64, 79); font-family: Menlo, Monaco, Consolas, “Lucida Console”, monospace; font-size: 12px;”>signUrl” from the “GroupDocsRequestSigner” class. For more info about how to embed the Viewer via the SDK you can check these examples.

Best regards.

masato.setoyama · January 20, 2017, 6:59am

Thank you pavelteplitsky.

I have one more question.

Can I use a signature generated for a document as a signature for another document ? (I think it’s good if it cannot be used for other document.)

pavelteplitsky · January 20, 2017, 7:50am

Hi,

Thank you for the question. As I said earlier the signature is generated from your account data and its always the same - since that the signature can be used for all your embed URLs.

Best regards.

masato.setoyama · January 20, 2017, 8:12am

Thank you, Pavel Teplitsky

and really??

I think it’s not secure.

So, If any user views some html (iframe) source of our application, and take a note about the Signature, and then if the user knows about any other GUID, the user can access the other file any time (because the signature does’t have expiration time…). It makes no sense to use GroupDocs client id and private key from our application.

pavelteplitsky · January 20, 2017, 9:49am

Hi again,

I have discussed this with our Product team and here what I have found out:

The signature is used for not accessing other guids , the signature is the same only for a specific guid, so for different files…there are different signatures.

Sorry for confusion.

masato.setoyama · January 23, 2017, 3:53am

Hi, Pavel Teplitsky

Thank you for confirming about this.

And OK, I understand the feature about the Signature.

Best Regards,

Masato Setoyama

pavelteplitsky · January 23, 2017, 6:39am

Hi Masato,

You are welcome. If you will have any questions please feel free to contact us.

Best regards.

masato.setoyama · January 24, 2017, 12:57am

Hi, Pavel Teplitskiy

By way of experiment,
I changed the signature of the embedded url from a generated and correct signature to an inaccurate one (“aaaaa”), then opened Chrome’s “Secret Window” and input the url with the inaccurate signature(“aaaaa”) expecting to be denied to access, but could access my document of Groupdocs.

Instead of using “Secret Window” of Chrome, I tried Firefox and Safari, but the result was same (could access the document without a correct Signature)

Is this correct behavior of your service? This is not good…

pavelteplitsky · January 25, 2017, 1:01pm

Hi,

Sorry for the delay. Yes, this is an issue and we will fix it. When the fix will be released - you will be notified here.

Sorry for the inconvenience.