Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Settings defined in app.config does not work with encryption #21900

Open
1 task done
improwise opened this issue Jan 14, 2025 · 5 comments
Open
1 task done

Settings defined in app.config does not work with encryption #21900

improwise opened this issue Jan 14, 2025 · 5 comments

Comments

@improwise
Copy link
Contributor

improwise commented Jan 14, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Description

It seems like when defining settings in app.config like

  "Settings": {
    "FUB.PushNotification.ExpoAccessToken": "-",
    "FUB.PushNotification.ExpoApiUrl": "https://exp.host/--/api/v2/push/send"
  }

It does not seem to work when those settings are supposed to be encrypted like:

public class FUBSettingDefinitionProvider : SettingDefinitionProvider
{
    public override void Define(ISettingDefinitionContext context)
    {
        context.Add(
            new SettingDefinition(
                FUBSettings.PushNotification.ExpoAccessToken,
                isEncrypted: true),
            new SettingDefinition(
                FUBSettings.PushNotification.ExpoApiUrl)
        );
    }
}

When you try to read them like:

            var expoAccessToken = await _settingProvider.GetOrNullAsync(FUBSettings.PushNotification.ExpoAccessToken);
            var expoApiUrl = await _settingProvider.GetOrNullAsync(FUBSettings.PushNotification.ExpoApiUrl);

the encrypted value will always be string.Empty (""). If you disable encryption it will work fine.

This seems like a bug unless our implementation is wrong.

There is a related topic here but since we are defining settings in app.config, I don't think it applies here.

https://abp.io/support/questions/5911/Encrypted-Setting-Default-Value

Thanks.
@improwise improwise added the bug label Jan 14, 2025
@improwise
Copy link
Contributor Author

improwise commented Jan 14, 2025
edited
Loading

Is it recommended to use the ISettingManager instead and if so, would that affect this? Guessing not because of this from docs

"Use the ISettingProvider instead of the ISettingManager if you only need to read the setting values, because it implements caching and supports all deployment scenarios. You can use the ISettingManager if you are creating a setting management UI."

@maliming
Copy link
Member

The setting value in appsettings.json need to be encryped.

https://abp.io/support/questions/5911/Encrypted-Setting-Default-Value#answer-3a0e0fae-217d-ff83-6235-809e948ed2f3

@maliming maliming removed the bug label Jan 15, 2025
@improwise
Copy link
Contributor Author

improwise commented Jan 15, 2025
edited
Loading

The setting value in appsettings.json need to be encryped.

https://abp.io/support/questions/5911/Encrypted-Setting-Default-Value#answer-3a0e0fae-217d-ff83-6235-809e948ed2f3

Thanks for responding.

I linked to that thread above, there is actually no mentioning of that in the thread or in the documentation from what I can see as well as information on how to actually do the encryption. It also only seem to refer to the default value and when running custom code, which would most likely be "-" or something like that for a sensitive data. It does state "Usually, you don't need to care about the encryption, which is done automatically." which does not seem to be true.

That said, it would seem reasonable that the value should be encrypted in appsettings or when overridden in hosting etc. but then the documentation needs to be updated to mention this as well as how to do it. I assume you are not supposed to build a utility of you own using ISettingEncryptionService just for it, can it be done using the CLI?

Thanks.

@maliming
Copy link
Member

The setting values in appsettings.json are just like the values in the database.

We will use ISettingEncryptionService encryption when writing to a setting value database.

@improwise
Copy link
Contributor Author

improwise commented Jan 17, 2025
edited
Loading

The setting values in appsettings.json are just like the values in the database.

We will use ISettingEncryptionService encryption when writing to a setting value database.

I think that this should at least be mentioned in the documentation at https://abp.io/docs/latest/framework/infrastructure/settings that for encrypted values, you need to encrypt them manually yourself.

The example given under "Setting Values in the Application Configuration" is quite confusing if not incorrect in itself, as it supplies the Abp.Mailing.Smtp.Password as an unencrypted value in appsettings.json, even though that is a setting that is supposed to be encrypted so the provided example would not work.

Encrypt the SMTP Password
Abp.Mailing.Smtp.Password must be an encrypted value. If you use the ISettingManager to set the password, you don't have to worry. It internally encrypts the values on set and decrypts on get. If you use the appsettings.json to store the password, you should manually inject the ISettingEncryptionService and use its Encrypt method to obtain an encrypted value. This can be done by creating a simple code in your application. Then you can delete the code. As better, you can create a UI in your application to configure the email settings. In this case, you can directly use the ISettingManager without worrying the encryption.

https://abp.io/docs/latest/framework/infrastructure/emailing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@improwise @maliming