FIGURE 7-23. Gathering information about the connected cloudBit using the cloudBit API
We needed both the DeviceID and the AccessToken to query information about the cloud-
Bit from the API. However, if we only knew the AccessToken, we could obtain the DeviceID by
querying the devices associated with the user in this way:
$ curl -i -XGET -H "Authorization: Bearer [AccessToken DELETED]" -H
"Accept: application/vnd.littlebits.v2+json"
https://api-http.littlebitscloud.cc/devices
HTTP/1.1 200 OK
accept-ranges: bytes
access-control-allow-headers: Authorization, Content-Type, If-None-Match
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: WWW-Authenticate, Server-Authorization
access-control-max-age: 86400
cache-control: no-cache
content-type: application/json; charset=utf-8
Date: Thu, 02 Apr 2015 04:51:49 GMT
Content-Length: 272
Connection: keep-alive
[{"label":"SMS_Door_Bell","id":"[DELETED]","user_id":[DELETED],"is_connected":
true,"ap":{"ssid":"TOUCHOFCLASS","mac":"[DELETED]","strength":"99","server_id"
:"DfhIt25l","socket_id":"F1PDVb2Il","status":"2"},"subscriptions":[],
"subscribers":[],"input_interval_ms":750}]The value of id returned from the curl command is the DeviceID that is associated with
the user’s account. This proves that the secrecy of the value of the AccessToken ultimately
guards access to the cloudBit. The cloudBit API advertises no way for developers to request a
new AccessToken. Without this functionality, the provided AccessToken will persist forever.
Given that the littleBits and cloudBit platforms are not intended for production use, there is
low risk with regard to the prototype itself. However, designers should bake in methods for
SECURITY EVALUATION 211