Auth Token for Edge

I am looking at a driver that would discover devices and then the user would have to provide a token manually in the ST app. There is a web service to authenticate based on username and password, but no way to hit it without creating a bridge application like @TAustin or @brbeaird created for their drivers.

Are there security concerns with storing this token in preferences? Is that emitted into any logs? How about having the user enter it through a capability and store it in a device field (device:set_field)? I know those fields can’t be accessed, but suspect the event itself would end up putting the token into the logs.

Any suggestions on redacting this from logs and storing it would be greatly appreciated.

Currently, I have this preference, but the token is show as plain text in the UI. Not sure if it impacts logging, in-memory access or at-rest storage.

preferences:
  - name: token
    title: Authentication Token
    description: Manually provide the authentication token allowing local access to the appliance
    required: false
    preferenceType: string
    definition:
      stringType: password

I noticed the same issue where the password is just shown in plain text, which is not ideal. From what I can tell, the value doesn’t get emitted out anywhere (just a basic indication that the info change event trigger), so I’ve just been hoping for the best.

I don’t see it in the edge logs locally, but think it may end up in some server side logs on the ST side. I guess one option would be to create a web tool that generates this token and gives the user back an encrypted form of it that they can enter instead. I’d have to decrypt it from preferences. Hopefully that’s unnecessary. It appears that ST intended for username and password to be entered through preferences with their own dedicated settings, so it seems possible that it will work. I just can’t use those exact prefs.

I just don’t really understand the purpose of a “password” string definition if it doesn’t actually hide it at all.

@brbeaird is correct, in the driver logs, they will only appear if you print them.
I’ll ask the team about password storage to see if they can provide more details about it.
Also, the issue with the password being shown is already reported, I just pinged the team again to check its progress.
Thank you for bringing this up!

2 Likes

Under groovy, the preferences were also accessible in the cloud. I assume some remnants of that could potentially expose edge preferences.