Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to create connection with string credentials instead of from a file #882

Closed
schoetbi opened this issue Mar 27, 2024 · 5 comments
Closed

Ability to create connection with string credentials instead of from a file #882

schoetbi opened this issue Mar 27, 2024 · 5 comments
Labels
proposal Enhancement idea or proposal

Comments

@schoetbi
Copy link

Proposed change

The current implementation expects a file name for the credentials. This requires the file to be on disk, what makes it readable by others.

A workaround is the use of the handlers Options.UserJWTEventHandler and Options.UserSignatureEventHandler but this is not straightforward.

I propose that the credentials are transported as a SecureString so that it can be read e.g. from the Windows Data Protection API or directly from a key vault like Azure key vault.

So this is the method signature:

/// <param name="credentials">The content of the chained credentials file.</param>
public IConnection CreateConnection(string url, SecureString credentials, bool reconnectOnConnect = false)

Use case

I do not want to store the credentials unencrypted on disk

Contribution

No response
@schoetbi schoetbi added the proposal Enhancement idea or proposal label Mar 27, 2024
@scottf
Copy link
Collaborator

scottf commented Mar 27, 2024

@schoetbi I can't do this because of the language level of the project. Any chance you have a greenfield project? If so I would suggest using the .NET v2.
Everything else underneath is insecure, but I can offer these, that way you can use SecureString and present the credentials from memory as strings instead of need a file.

public IConnection CreateConnection(string url, string credentials, bool reconnectOnConnect = false)
public IConnection CreateConnection(string url, string userJwt, string nkeySeed, bool reconnectOnConnect = false)

WDYT?

@schoetbi
Copy link
Author

schoetbi commented Apr 2, 2024

@scottf Yes, I can use .NET v2 for my project. The main priority is that I want to avoid writing the credentials to disk. The use of SecureString is optional. So your suggestion with passing the credentials as string (not filename) is fine.

@sixlettervariables
Copy link
Collaborator

In general you should not use SecureString for new development, and even when available it does not adequately protect confidential information.

https://learn.microsoft.com/en-us/dotnet/fundamentals/runtime-libraries/system-security-securestring

@schoetbi
Copy link
Author

schoetbi commented Apr 5, 2024

@sixlettervariables Thanks for this interesting read. The use of SecureString might also be a little bit too much for my thread model. I only want to ensure that the credentials are not written to disk. So I will refrain from the use of SecureString.

@schoetbi schoetbi closed this as completed Apr 5, 2024
@scottf scottf reopened this Apr 8, 2024
@scottf scottf changed the title Add ConnectionFactory.CreateConnection(string servers, SecureString credentials); Ability to create connection with string credentials instead of from a file Apr 8, 2024
@scottf
Copy link
Collaborator

scottf commented Apr 8, 2024

Adding regular string version of the api here: https://github.com/nats-io/nats.net/pull/885

@scottf scottf closed this as completed Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
proposal Enhancement idea or proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@scottf @schoetbi @sixlettervariables