I'm working with an app that I want the public to be able to edit through the app, but I do not want the public to be able to access the app through our organizations rest endpoint. I secured the feature service by going into ArcGIS Server Manager and limiting access to a role containing a single user.
From there it seems like there are two ways to add the user credentials to the app:
1. Embed the username and password into this line in FeatureServiceManager.qml under the generateToken function
2. OR manually go to the token url, enter the username and password, generate a token, and hard code the token into the app at the top of FeatureServiceManager.qml (Hopefully this is the correct place. I haven't tested this)
property url url
property string token: "wqFQ8vHYATcjDMrbuecyxmPX2R3R7UoTbQKvo5DBcFsAUdEmiT74f7c-ICYwxI0L"
My questions are:
Is it safe to store username and password in the code for the app? Is there a way for the public to get to it?
If so, is it safe to store the token in the app? If someone got the token, couldn't they plug it into the rest endpoint and get to the service that way?
I'm using AppStudio (Desktop 1.4) and the Quick Report template.
Let me answer your questions in order:
1. It is never safe to store any type of credentials in any client side app. having said that since you are writing a native app and it gets compiled to binary it's not very easy to get to it but if you are very concerned then you should not go this route.
2. Saving token in the app will not help in two ways. First, it will expire at some time (or might change if you make any changes to the service) and second as you noted if you do manage to generate a long life token then it's as good as exposing username and password since it could be used to get access outside of the app.
Note: In general unless you use https all web traffic from your app can be intercepted irrespective of the method used. So to be safe it's a good idea to use SSL endpoints.
There are two solutions in your case I can think of right now:
1. Use a server-side proxy. This proxy will be exposed as an URL but can be unlocked only by your app (you can use many techniques like salt, authenticated headers etc...) and will allow the requests to pass through to get back a short-lived token. Then the app uses this token to continue.
2. Use app level oAuth (not user level). Read this for more info: ArcGIS Security and Authentication | ArcGIS for Developers
Hope this helps.
Clarification: I was testing with an http connection but the app will use https.
I don’t think solution 2 will work because my service is located on our ArcGIS Server. Also it said a limitation was that the tokens are read only and my users need to edit the feature service.
I wasn’t able to find any information on salt or authenticated headers.