securing credential
-
Hello ,
We are playing with JSreport for evaluation purpose and very happy so far. I have one question though.
We have our set of APIs which are looking to use from within jsreport to get the data and then use jsreport to generate PDF/Excel out of that data. Our api require username / password. I was wondering is there any way to save the username password securely in JSreport so that we can use it in our API calls ? is there any documentation you can point me to ?
regards
Kabir
-
Hi, glad you like jsreport so far.
I would write the credentials to a file in crypted form and decrypt it before using it jsreport script.
To increase security you can also use firewall ip white listing.
-
Ye, that would be one way to go about it - Thanks for that Jan
-
Hi Jan,
I'm working with starter version, and taking in consideration the example in this link https://jsreport.net/blog/pdf-reports-in-sql-server , my problem is similary to the above. How can i keep this credentials securitly?
If i keep the credentials in script files, this can be accessable by many ways by the jsreport API.
Still, basic authentication is not security too, already i need to send a base64 hash in header requests.
It's import to say that i plan to work with jsreport's browser client in a dynamic way, embeddeding the reports in my page, and the authentication method is not enougth security at moment.
Pass a basic authentication header with a base64 hash in ajax call on my page will give all chances of someone bad intentionated to have access to sensitive data at jsreport server.
So, if you can help with this issue, i appreciate that.Thank's
-
If i keep the credentials in script files, this can be accessable by many ways by the jsreport API.
You can store credentials in a file and read it from script. You can pass credentials through environment variables and get them from script. The credentials can be also included in the request itself and don't need to be stored.
Pass a basic authentication header with a base64 hash in ajax call on my page will give all chances of someone bad intentionated to have access to sensitive data at jsreport server.
We also support token based authentication https://jsreport.net/learn/authentication#token-based-authentication-using-an-authorization-server
Another option is to avoid exposing jsreport to the public. Run it behind your application and let the browser client be authenticated first on your server before you send request to jsreport.
