This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Token visible in Javascript

Go to solution
henk_stobbe
DynaMight Leader
DynaMight Leader

‎11 Jun 2024 12:44 PM

Hello All,

 

I notice you can see the value of a token when used in Javascript, I assume that this is inherent to the used implementation? Or will there be an improvement?

KR Henk

 

henk_stobbe_0-1718106034452.png

Labels:
0 Kudos
Reply
6 REPLIES 6

Go to solution
christian_kreuz
Dynatrace Advisor
Dynatrace Advisor

‎11 Jun 2024 01:43 PM - edited ‎11 Jun 2024 01:50 PM

Hi! In the screenshot, you're seeing the Result tab of a "run_javascript" task. Most likely, the token is returned as part of this task. You can investigate and change this by editing the Workflow, and looking at the "Run JavaScript" task in question, which probably looks something like this:

 

// optional import of sdk modules
import { execution } from '@dynatrace-sdk/automation-utils';

export default async function ({ execution_id }) {
  // your code goes here
  const token = "1234";
  const scope = "SCOPE";

  // do something
  
  return { token: token, scope: scope };
}

 

edit: now if you're asking whether you can mask this token, that's a no for now. What you could however do instead is store the token using secrets in App-Settings or Dynatrace Credential Vault.

 

Reply

Go to solution
henk_stobbe
DynaMight Leader
DynaMight Leader
In response to christian_kreuz

‎11 Jun 2024 01:51 PM

Hi Christian,

Sorry, it is returned by below code in the task:

tokenCredentials = await credentialVaultClient.getCredentialsDetails({
id: 'CREDENTIALS_VAULT-04B79924E62A26F3',

So I was thinking it is the real token value

KR Henk

0 Kudos
Reply

Go to solution
christian_kreuz
Dynatrace Advisor
Dynatrace Advisor
In response to henk_stobbe

‎11 Jun 2024 01:55 PM

Now I see 🙂 The Run JavaScript task is doing exactly what you tell it to do, which, in this case, is returning the full response of getCredentialsDetails from credentialVaultClient.

I suppose you want to use the token returned in a follow-up task?

Reply

Go to solution
henk_stobbe
DynaMight Leader
DynaMight Leader
In response to christian_kreuz

‎11 Jun 2024 02:06 PM

Absolutely, 

So in simple terms, next step would be a POST request using this credential.

My main concern was that I can see the token used in the script, so this would be a security risk as anybody who can see the workflow can possibly see and copy the token?

See my token definition:

henk_stobbe_0-1718111154228.png

KR Henk

0 Kudos
Reply

Go to solution
christian_kreuz
Dynatrace Advisor
Dynatrace Advisor
In response to henk_stobbe

‎11 Jun 2024 02:11 PM

Yes, that's all correct. Don't return the token. Support for using credentials/secrets in a secure way is on the roadmap, as far as I know. For the time being,

For the time being, you can use fetch in the Run JavaScript action like this:

  const token = await credentialVaultClient.getCredentialsDetails({
    id: "CREDENTIALS_VAULT-ABCD1234",
  }).then((credentials)=> credentials.token);

  const url = "https://....";

  const response = await fetch(url, {
    method: 'GET',
    headers: {
      'Authorization': `Bearer ${token}`
    }
  ).then(response => response.json());
Reply

Go to solution
henk_stobbe
DynaMight Leader
DynaMight Leader
In response to christian_kreuz

‎11 Jun 2024 02:16 PM

Cool thx Christain!

0 Kudos
Reply
Ask a question

Featured Posts