Adding material to quote via REST - how do I use default description?

Aaron_Moreng · January 9, 2019, 6:46pm

You could encrypt the username/pw in the app.config. Ultimately, you need to decide what level of risk you are willing to take on with this. It’s a balance between maintainability and security. You could always just hard code it in to every client you create, but when happens when the username/password changes? Now you have to change it everywhere in the source code and redeploy.

josecgomez · January 9, 2019, 6:50pm

I mean if they have access to your PC, and your source code all bets are off. Security has its limits… If this is something for your company to use, then putting the password in the sysconfig is fine… If this is sothing you are going to distribute out to the word then I wouldn’t embed my password.

Evan_Purdy · January 9, 2019, 6:52pm

True, its only going to be hosted internally - might be open to access externally at some point but I don’t see myself sharing the source code. It just felt wrong or sloppy for some reason, but you are right, if someone is already on my computer they could do a lot of things.

josecgomez · January 9, 2019, 6:54pm

I would put it in a sysconfig and call it good. If you wanna feel extra good about it you could encrypt /decrypt it using user scope from Microsoft which adds a salt unique to your computer. So even if they copy the config out they can’t use it without it also being run from your PC

using System.Security.Cryptography;
 
//Encrypt
byte[] bytes = Encoding.Unicode.GetBytes(txtEpicorPassword.Text);
byte[] protectedPassword = ProtectedData.Protect(bytes, Encoding.Unicode.GetBytes("YourSaltHERE"), DataProtectionScope.CurrentUser);
string encryptedString = Convert.ToBase64String(protectedPassword);
 
//Decrypt
string s= Encoding.Unicode.GetString(ProtectedData.Unprotect(Convert.FromBase64String(Convert.ToBase64String(protectedPassword)), Encoding.Unicode.GetBytes("YourSaltHERE"), DataProtectionScope.CurrentUser));

Evan_Purdy · January 9, 2019, 7:00pm

Cool. Do you happen to know if that works per domain user or per physical computer?

josecgomez · January 9, 2019, 7:01pm

User + Computer.
DataProtectionScope.CurrentUser

Mark_Wonsil · January 9, 2019, 7:10pm

The price for Key Vault is $0.03/10,000 operations. So, not expensive. Might be something to look into once you expose it.

Mark W.

Bart_Elia · January 9, 2019, 10:01pm

We are starting to use Key Vault heavily. That plus an Azure ApplicationID gives you a similar functionality you are used to on premises with Windows Accounts on services like an app pool. And as Mark mentioned - cheap cost to use.

To Joses comment on the ProtectedData API. We use that in areas of the client already. It’s a nice secure way to cache sensitive per user information on Clients PCs.

Good Conversation!