I'm working with an app that I want the public to be able to edit through the app, but I do not want the public to be able to access the app through our organizations rest endpoint. I secured the feature service by going into ArcGIS Server Manager and limiting access to a role containing a single user.
From there it seems like there are two ways to add the user credentials to the app:
1. Embed the username and password into this line in FeatureServiceManager.qml under the generateToken function
2. OR manually go to the token url, enter the username and password, generate a token, and hard code the token into the app at the top of FeatureServiceManager.qml (Hopefully this is the correct place. I haven't tested this)
property url url
property string token: "wqFQ8vHYATcjDMrbuecyxmPX2R3R7UoTbQKvo5DBcFsAUdEmiT74f7c-ICYwxI0L"
My questions are:
Is it safe to store username and password in the code for the app? Is there a way for the public to get to it?
If so, is it safe to store the token in the app? If someone got the token, couldn't they plug it into the rest endpoint and get to the service that way?
I'm using AppStudio (Desktop 1.4) and the Quick Report template.