Recent searches
No recent searches
Secure app settings in the manifest.json need to be transformed before use
Posted Oct 07, 2024
Hello,
Secure settings in the manifest will only be pasted into the code by ZD via a placeholder and only as the last step before execution That is fine for a basic user-pass auth, but not anymore if you need to, like in my place, create an HMAC of the secret and only that value can be used for authentication.
Anyone knows how to solve this? I don't think it's a very good workaround to store the secret code directly in the code. But momentarily is seems to be the only solution.
Thank you!
0
2
2 comments
Zach Anthony
Hi Sebastian, you're absolutely correct that secure settings cannot be transformed prior to the request being made out to the destination server. I can appreciate that for authentication schemes which require computation at run time, such as with HMAC, it is problematic. I've gone ahead and captured your feedback and we will consider how we might be able to address this limitation in future.
To securely cater for this use case today, you would need to ensure that the request is made server side; this would involve some middleware between your app that is able to support an alternative authentication scheme.
0
Sebastian
Thank you for the feedback. So there currently is only the middleware solution, unless one wants to risk the secret being in plain in the source. The risk would extend to all agents that can see the app in the backend, I assume.
0