It’s important to keep app secrets out of our codes. Most of the app secrets are however still found in .config files. This way of handling app secrets becomes very risky when the codes are on public repository.
Thus, they are people put some dummy text in the .config files and inform the teammates to enter their respective app secrets. Things go ugly when this kind of “common understanding” among the teammates is messed up.
Secret Manager Tool
So when I am working on the dotnet.sg website, which is an ASP .NET Core project, I use the Secret Manager tool.It offers a way to store sensitive data such as app secrets in our local development machine.
To use the tool, firstly, I need to add it in project.json as follows.
{
"userSecretsId": "aspnet-CommunityWeb-...",
...
"tools": {
...
"Microsoft.Extensions.SecretManager.Tools": "1.0.0-preview2-final"
}
}
Due to the fact that the Secret Manager tool makes use of project specific configuration settings kept in user profile, we need to specify a userSecretsId value in the project.json as well.
After that, I can start storing the app secrets in the Secret Manager tool by entering the following command in the project directory.
$ dotnet user-secrets set AppSettings:MeetupWebApiKey ""
Take note that currently (Jan 2017) the values stored in the Secret Manager tool are not encrypted. So, it is just for development only.
As shown in the example above, the name of the secret is “AppSettings:MeetupWebApiKey”. This is because in the appsettings.json, I have the following.
{
"AppSettings": {
"MeetupWebApiKey": ""
},
...
}
Alright, now the API key is stored in the Secret Manager tool, how is it accessed from the code?
By default, appsettings.json is already loaded in startup.cs. However, we still need to add the following bolded lines in startup.js to enable User Secrets as part of our configuration in the Startup constructor.
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
if (env.IsDevelopment())
{
builder.AddUserSecrets();
}
builder.AddEnvironmentVariables();
Configuration = builder.Build();
}
...
}
Then in the Models folder, I create a new class called AppSettings which will be used later when we load the app secrets:
public class AppSettings
{
public string MeetupWebApiKey { get; set; }
...
}
So, let’s say I want to use the key in the HomeController, I just need to do the following.
public class HomeController : Controller
{
private readonly AppSettings _appSettings;
public HomeController(IOptions appSettings appSettings)
{
_appSettings = appSettings.Value;
}
public async Task Index()
{
string meetupWebApiKey = _appSettings.MeetupWebApiKey;
...
}
...
}
Azure Application Settings
Just now Secret Manager tool has helped us on managing the app secrets in local development environment. How about when we deploy our web app to Microsoft Azure?
For dotnet.sg, I am hosting the website with Azure App Service. What so great about Azure App Service is that there is one thing called Application Settings.
For .NET applications, the settings in the “App Settings” will be injected into the AppSettings at runtime and override existing settings. Thus, even though I have empty strings in appsettings.json file in the project, as long as the correct values are stored in App Settings, there is no need to worry.
Application Settings and Timezone
Oh ya, one more cool feature in App Settings that was introduced in 2015 is that we can change the server time zone for web app hosted on Azure App Service easily by just having a new entry as follows in the App Settings.
WEBSITE_TIME_ZONE Singapore Standard Time
The setting above will change the server time zone to use Singapore local time. So DateTime.Now will return the current local time in Singapore.
References
If you would like to read more about the topics above, please refer to following websites.
- How Dangerous Is It to Store Password in Plain Text on Github? (July 2013)
- Safe Storage of App Secret during Development (October 2016)
- User Secrets – Storing Sensitive Data in ASP .NET Core Projects (May 2016)
- Working with User Secrets in ASP .NET Core Applications (July 2016)
- No More App Secrets in Config with ASP .NET Core (October 2016)
- Configure Web Apps in Azure App Service (December 2016)
- Changing the Server Time Zone on Azure Web Apps (April 2015)
cuteprogramming 