Security in AppStudio Quick Report

826
2
04-06-2017 03:05 PM
KE
by
Occasional Contributor

I'm working with an app that I want the public to be able to edit through the app, but I do not want the public to be able to access the app through our organizations rest endpoint. I secured the feature service by going into ArcGIS Server Manager and limiting access to a role containing a single user.

From there it seems like there are two ways to add the user credentials to the app:

1. Embed  the username and password into this line in FeatureServiceManager.qml under the generateToken function

var obj = {"username":"user", "password":"pwd" "f":"json", referer: "http://www.arcgis.com"/*, expiration:"1"*/};

2. OR manually go to the token url, enter the username and password, generate a token, and hard code the token into the app at the top of FeatureServiceManager.qml (Hopefully this is the correct place. I haven't tested this)

Item {

    id: featureServiceManager

 

    property url url

    property string token: "wqFQ8vHYATcjDMrbuecyxmPX2R3R7UoTbQKvo5DBcFsAUdEmiT74f7c-ICYwxI0L"

My questions are:

Is it safe to store username and password in the code for the app? Is there a way for the public to get to it?

If so, is it safe to store the token in the app? If someone got the token, couldn't they plug it into the rest endpoint and get to the service that way?

    http://myserver/arcgis/rest/services?token=wqFQ8vHYATcjDMrbuecyxmPX2R3R7UoTbQKvo5DBcFsAUdEmiT74f7c-ICYwxI0L

I'm using AppStudio (Desktop 1.4) and the Quick Report template.

2 Replies
SathyaPrasad
Esri Contributor

Let me answer your questions in order:

1. It is never safe to store any type of credentials in any client side app. having said that since you are writing a native app and it gets compiled to binary it's not very easy to get to it but if you are very concerned then you should not go this route.

2. Saving token in the app will not help in two ways. First, it will expire at some time (or might change if you make any changes to the service) and second as you noted if you do manage to generate a long life token then it's as good as exposing username and password since it could be used to get access outside of the app.

Note: In general unless you use https all web traffic from your app can be intercepted irrespective of the method used. So to be safe it's a good idea to use SSL endpoints.

There are two solutions in your case I can think of right now:

1. Use a server-side proxy. This proxy will be exposed as an URL but can be unlocked only by your app (you can use many techniques like salt, authenticated headers etc...) and will allow the requests to pass through to get back a short-lived token. Then the app uses this token to continue.

2. Use app level oAuth (not user level). Read this for more info: ArcGIS Security and Authentication | ArcGIS for Developers 

Hope this helps.

-Sathya

KE
by
Occasional Contributor

Clarification: I was testing with an http connection but the app will use https.

I don’t think solution 2 will work because my service is located on our ArcGIS Server. Also it said a limitation was that the tokens are read only and my users need to edit the feature service.

I am trying to figure out how to implement solution 1, I found these directions here https://developers.arcgis.com/javascript/3/jshelp/ags_proxy.html. I was able to download the github file and set up the configuration on our webserver (DotNet version: https://github.com/Esri/resource-proxy/tree/master/DotNet). But it looks like I need to setup a proxy rule within the code for my app to tell it to use the proxy. Do I need to add a JavaScript file to my app and use urlUtils.addProxyRule? Or is there qml code that does something similar?

I wasn’t able to find any information on salt or authenticated headers.