What is right way to secure object's properties in configuration page using __meta property

App Platform
1

Hey guys!

According to the documentation, to secure params from custom installation page, we should use the “__meta” tag, Example:

function postConfigs() {
    var contact={};
    var company = [];
    var conditions = [];
    var api_key = jQuery("input[name=api_key]").val();
    var first_name = jQuery("input[name=first_name]").val();
    var last_name = jQuery("input[name=last_name]").val();
    contact["first_name"] = first_name;
    contact["last_name"] = last_name;
    jQuery("#company option:selected").each(function(){
      company.push(jQuery(this).val());
    });
    jQuery("input[name=\"condition\"]:checked").each(function(){
    conditions.push(jQuery(this).val());
    });
    return {
      __meta: {
        secure: ["api_key"]
      },
      api_key,
      contact,
      company: company,
      conditions: conditions
    }
  }

I tested it and it’s working.
But let’s say I have more than one parameter and it’s nested:

function postConfigs() {
  var params = {
    param1: "value",
    authentication: {},
  };
  params.authentication = {
    fdDomain: $("#fd-domain").val(),
    fdUserID: $("#fd-user-id").val(),
    fdUserApiKey: $("#fd-api-key").val(),
    rtcServerURI: $("#rtc-server-uri").val(),
    rtcTunnel: $("#rtc-tunnel").val(),
    rtcUserName: $("#rtc-user-name").val(),
    rtcUserPassword: $("#rtc-user-pass").val(),
    wafUserName: $("#rtc-waf-user-name").val(),
    wafUserPassword: $("#rtc-waf-user-pass").val(),
    vtDomain: $("#vt-domain").val(),
    vtUsername: $("#vt-user-name").val(),
    vtPassword: $("#vt-user-pass").val(),
    pgHost: $("#pg-domain").val(),
    pgPort: $("#pg-port").val(),
    pgUser: $("#pg-user-name").val(),
    pgPassword: $("#pg-user-pass").val(),
    pgDatabase: $("#pg-database").val(),
  };
  params["__meta"] = {
    secure: [
      "authentication.fdDomain",
      "authentication.fdUserID",
      "authentication.fdUserApiKey",
      "authentication.vtDomain",
      "authentication.vtUsername",
      "authentication.vtPassword",
      "authentication.rtcServerURI",
      "authentication.rtcTunnel",
      "authentication.rtcUserName",
      "authentication.rtcUserPassword",
      "authentication.wafUserName",
      "authentication.wafUserPassword",
      "authentication.pgHost",
      "authentication.pgPort",
      "authentication.pgUser",
      "authentication.pgPassword",
      "authentication.pgDatabase",
    ],
  };
  return params;
}

In frontend, calling:

client.iparams.get()

It’s returning all the authentication object.
Am I doing it wrong?

2

@samuelpares,
Good Day!
you need to mention only the top-level key in the secure array, and it is not possible to mention the child keys.

eg:

function postConfigs() {
  var params = {
    param1: "value",
    authentication: {},
  };
  params.authentication = {
    fdDomain: $("#fd-domain").val(),
    fdUserID: $("#fd-user-id").val(),
    fdUserApiKey: $("#fd-api-key").val(),
    rtcServerURI: $("#rtc-server-uri").val(),
    rtcTunnel: $("#rtc-tunnel").val(),
    rtcUserName: $("#rtc-user-name").val(),
    rtcUserPassword: $("#rtc-user-pass").val(),
    wafUserName: $("#rtc-waf-user-name").val(),
    wafUserPassword: $("#rtc-waf-user-pass").val(),
    vtDomain: $("#vt-domain").val(),
    vtUsername: $("#vt-user-name").val(),
    vtPassword: $("#vt-user-pass").val(),
    pgHost: $("#pg-domain").val(),
    pgPort: $("#pg-port").val(),
    pgUser: $("#pg-user-name").val(),
    pgPassword: $("#pg-user-pass").val(),
    pgDatabase: $("#pg-database").val(),
  };
  params["__meta"] = {
    secure: [
      "authentication",
    ],
  };
  return params;
}

Hope it helps :slight_smile:

Thanks

3 Likes