How to access secured data in Iparams?

Bene_Immanuel · July 14, 2022, 5:19am

Hi team,

We have implemented an logic where the end user can integrate FD with an third party system.

So in the apps configuration page, the admin has to enter the API keys in a comma separated format.

Then internally we will split this string and loop through it to get the third party data.

And the thing is, that we need to secure these API keys in Iparams but if we did we can not fetch it using the Iparams method.

Is there an way to achive both?

Please let us know.

Thank you.

Santhosh · July 14, 2022, 10:43am

@Bene_Immanuel,
Good Day!
Due to security issue, secure Iparams will not be retrieved in the frontend,

to get the thirdpary data, you can use Serverless app, i,e SMI method (Freshworks Developer Docs | Freshworks app ecosystem) which you can get the secure Iparams in the parameter of SMI method,
From this you can loop through and make an API call and return it to the Frontend.

Hope it helps

Thanks

Bene_Immanuel · July 15, 2022, 7:20am

Thanks, @Santhosh!

This really helped us.

But the reason behind this is, we have submitted a marketplace app in Freshdesk and freshrelease people have rejected this app due to these “not secured” API keys issues.

Just out of curiosity, what difference does it make, eventually we are getting the API keys in the front-end so, is this really needed?

No offence, just asking this to learn.

Hoping for a constructive answer.

Thank you

Santhosh · July 15, 2022, 7:56am

The reason behind this secure Iparams, (i.e) api_key, which is an admin API key, which we can use for admin operations (such as creating/deleting/updating the ticket), so exposing it in the frontend causes security problems.

Hope it helps

Thanks

Raviraj · July 15, 2022, 10:20am

Hi @Bene_Immanuel,

Santhosh suggested getting the necessary action done in the SMI function and returning only the required response from the third-party API. Do not get the API Key from the iparam and send it back to the frontend. As you have guessed, it would be a security vulnerability to expose the Freshdesk admin’s API key to the Freshdesk agents in the frontend app.

If you know the number of API keys that will be used, you can add as many input fields in the iparams and you can use the secure iparam template without needing to split the comma-separated iparam value.

If you would want to discuss the solution further, please book a slot in our Office hours calendar to discuss the solution available.

Bene_Immanuel · July 20, 2022, 11:17am

Hi @Raviraj,

Thanks for your suggestion.

I got the point but, we are trying to upload a file to a third-party system, since we can not rely on the SMI to take care of this (due to payload size limitation), we have to stick with the front end to achieve this.

This is where I need a confirmation so that I can consider this as a thing and we can use the API key in the front end to achieve this functionality.

And after the call with your team, I got confirmation regarding this.

Thanks for your time @Saif, @jones and @Debjani.

Really appreciate it.

Saif · July 20, 2022, 11:52am

Thanks for joining office hours today, @Bene_Immanuel

The app takes in attachments from the users and POSTs them to the 3rd party server which along with it needs API keys.
The Platform’s Request Method doesn’t have support to use attachments. The usage of 3rd party libraries such as axios or superagent will need access to API keys in the frontend.
After discussing all the probabilities (SMI / Buffer multimedia so on) we finalised that a middleware intervention will need to store attachments and POST it in the way 3rd party expects.

We will treat this discussion to accelerate bringing File Storage capabilities to the platform!

Cc: @Product-Managers

system · July 26, 2022, 5:52pm

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.