Hello,
Secure settings in the manifest will only be pasted into the code by ZD via a placeholder and only as the last step before execution That is fine for a basic user-pass auth, but not anymore if you need to, like in my place, create an HMAC of the secret and only that value can be used for authentication.
Anyone knows how to solve this? I don't think it's a very good workaround to store the secret code directly in the code. But momentarily is seems to be the only solution.
Thank you!
Hi Sebastian, you're absolutely correct that secure settings cannot be transformed prior to the request being made out to the destination server. I can appreciate that for authentication schemes which require computation at run time, such as with HMAC, it is problematic. I've gone ahead and captured your feedback and we will consider how we might be able to address this limitation in future.
To securely cater for this use case today, you would need to ensure that the request is made server side; this would involve some middleware between your app that is able to support an alternative authentication scheme.
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Thank you for the feedback. So there currently is only the middleware solution, unless one wants to risk the secret being in plain in the source. The risk would extend to all agents that can see the app in the backend, I assume.