Recent searches


No recent searches

Secure app settings in the manifest.json need to be transformed before use



Posted Oct 07, 2024

Hello,

 

Secure settings in the manifest will only be pasted into the code by ZD via a placeholder and only as the last step before execution That is fine for a basic user-pass auth, but not anymore if you need to, like in my place, create an HMAC of the secret and only that value can be used for authentication.

 

Anyone knows how to solve this? I don't think it's a very good workaround to store the secret code directly in the code. But momentarily is seems to be the only solution.

 

Thank you!


0

2

2 comments

image avatar

Zach Anthony

Zendesk Product Manager

Hi Sebastian, you're absolutely correct that secure settings cannot be transformed prior to the request being made out to the destination server.  I can appreciate that for authentication schemes which require computation at run time, such as with HMAC, it is problematic. I've gone ahead and captured your feedback and we will consider how we might be able to address this limitation in future.
 

To securely cater for this use case today, you would need to ensure that the request is made server side; this would involve some middleware between your app that is able to support an alternative authentication scheme.

 

0


Thank you for the feedback. So there currently is only the middleware solution, unless one wants to risk the secret being in plain in the source. The risk would extend to all agents that can see the app in the backend, I assume.

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post