studio icon indicating copy to clipboard operation
studio copied to clipboard

Published 20 hours ago verified publisher icon eez-open

Add management of secrets to eez-studio

Open fietser28 opened this issue 8 months ago • 0 comments

Is your feature request related to a problem? Please describe. With dashboard you can connect to external services (http, MQTT, …). These services often require secrets (API keys, password, …). I would like to have the possibility to save (and manage) these credentials in a separate place outside the project files/directory and have them reusable between different projects. The user should give permission per project for this.

Currently it is possible to store a secret as a persistent variable. This is stored in a separate file per project and has the risk of accidental leaking (when sharing a project) and manual management per project in variables.

Describe the solution you'd like There are several solutions possible I can think of for the usage of credentials in flows:

  • Add an option to a (global) string variable to become a “credential”. From the properties panel a credential can be selected or created.
  • Define a credential as a new type of variable
  • Create new action to set/get/select credentials (similar to instrument).
  • Combination of above

Storage of credentials: I think credentials belong to the user of eez-studio and not just to a project. Feasible options seem to be:

  • A separate database file next to the generic eez-studio database file.
  • Incorporate in eez-studio database file. I think this is not wise because of accidental leakage problems.
  • A generic user definable place and/of specific files per project?

Credential management: There needs to be a UI to manage al stored credentials and the permissions of projects to use them. Place this in/near the settings of eez-studio. Alternitavly a credential can also be considered as a ‘remote service’, just like an instrument. The UI should

  • Lock/unlock the credential store with a password. Setting this password is optional.
  • List of stored credentials.
  • List of permissions to give access to credentials per project
  • Add/delete/modify credentials.

Not MVP, but good security practice:

  • Log the usage of credential

Describe alternatives you've considered Store credential as a persistent variable in the corresponding file. And don’t forget to exclude this file when sharing a project.

The above are just my current thoughts on this, feel free to reflect on this. It is also a pretty big request.

fietser28 avatar Jun 26 '24 11:06 fietser28