Security Provider Properties - Secret Key - from data source

Before i put this in as a feature request, i first want to find out if its a valid request. If its possible, is there any reason why it might not be a good idea?

@George

Scenario. I have multiple clients using the same CMS. (* unique to every site and unique database)
With php i just modified the files in the (dmxConnect\modules\SecurityProviders) and ftp them to the server for each client.

Is there anybody else using a CMS ( unique to every site and unique database) they create for multiple clients using different security keys? or is it fine to use the same Secret Keys for all the clients…*

So in short… if all my sites I develop on Wappler all have the same Secret Keys… would it be a security risk?… can I use the same Secret Key on all sites I develop? i guess that is the question

If its not a security risk… then the blow is absolute… and you can stop reading… :slight_smile:

Now im using docker with node as this is what is recommended… So i want to deploy the same “site” to 10 clients but i want to avoid them all using the same “Secret Keys” and then that will mean i have to manually add these files to each site / or change the keys in the files and re-deploy each site.

But it would be ideal if one can select this out of a database? As the database it unique to every client.
So that when i do an update on the site files… i just have to press the deploy button on 10 targets and its done.

select-from-data-source

This is a great question to be honest. I don’t have much understanding on where this key comes into play. But in our multi-tenant apps, this value is same for everyone.
I don’t think it is a cause of concern, but would be great to have some explanation around how it works.

2 Likes

Yes SID that was my worry…

My understanding was for each site that the Secret Key needs to be different per domain for the Security Providers… as there was a reason for this… maybe @Teodor could give us a clear answer .

But that the reason why im asking again… because of site being used on different domains with the same Secret Key… will this cause a issue with security and sessions?
If a user by any chance have the same username and password… (*not likely ) on another site with the same security key… will they just get access because of the same Secret Key…

Or is it best practice to change them per domain?..

Can you not just edit this same file locally before you hit deploy, then it will write it to the container with the correct key on deploy.

A bit of a pain because you will have to have 10 targets to 10 different docker containers, then change key, deploy to that target, edit key, change target to the next and deploy again and so on.

Yes that is the pain… .and hence the question…

Because if I update the site… i just want to hit deploy … on all 10 targets … without having to worry to change files 10 times… as you said above…

can the sites use the same Secret Key… or must they all be different… do you know perhaps the “function” of the secret key and how it ties into the bigger scheme of things…? SO in a nut shell… is it bad practice to use the same secret keys on multi sites… or do they have to be different…

As far as i know you can happily use the same secret key on all of the domains using the same CMS.

I am not certain of the inner workings of the secret key, but i imagine its to allow the site internally to access the rest of the secure passwords etc for your database, ftp, docker containers etc. so they can not be hacked.

1 Like

Ok… sounds good… :slight_smile: ill wait for @Teodor to confirm officially… then at least I don’t have to worry about that factor in my CMS and no need to put in the “feature request” as this would then be absolute… But not expecting an answer soon as it “Roll Out” Thursday…

What authentication are you using?

For argon
Perhaps a fix may be to postfix the domain (or some other key value) to the end of the login password programmatically (needs done on registration and login scripts)

so for example they register with the password “mysecretpassword”, you append “mydomain.com” and create the secure password hash on that concatenated value
Similarly the login would have to append the domain/key before authentication.

for sha, you can do that or append the domain/key to the salt

You can obtain the. server URL from $_SERVER.URL variable (split it on “/”, it is part [0]

Hi @Hyperbytes its the “static” secret key that gets generated when you setup a security provider.
This gets generated by Wappler and one can change this…
So i dont think i have to worry about the authentication side… as that is done elsewhere…
Is a question if i can use the same secret key on multiple sites without having a security problem.

select-from-data-source

Yes, i am well aware of how the security provider works. Unfortunately with a static key it would be possible for two users to have the same credentials allowing cross account access (unless you have a centralised user table and the login name field value is flagged as unique?)
What I suggested is an alternative for you to consider doing what you want at password level rather than security key level.
If you have centralised login table and check for dupllicated logins then it should not be an issue

Thanks for that answer, as this is what i was looking for… if using the same secret key is bad or not.
But for now that will now work for me :frowning: as i have many login setups already… …

@sid … " Unfortunately with a static key it would be possible for two users to have the same credentials allowing cross account access (unless you have a centralised user table and the login name field value is flagged as unique?)" … … as this was the concern…

@Hyperbytes… would you then say … it might be a valid feature request… to be able to select the secret keys via a “data source” …

If they are all using the same CMS backend so the users table is centralised and you prevent duplicates (both via api validator function and I would advise at database level also) then the issue of two users having the same login cannot happen so changing the security key is not important

  • They all using the same CMS backend on their own hosting ( just the same programme) and unique database.
  • So each client have their own unique CMS and Database…
  • So i load the CMS to 10 different sites … each with their own database… so no interlinking of databases or data so to speak… so its 10 unique sites… if you want to call it that…

So your concern is what exactly? If each host uses a separate database then the only way to duplicate logins across multiple sites is to know the details in the first place and register them on multiple sites so the security key is irrelevant. They can either login or not surely

Yes I understand that… i just wanted to know if there would be any security concerns using the same Security Key on 10 different unique sites. Each with their own database and CMS as a stand alone… i was worried that if I use the same key for all 10 sites… that it might be a security risk… as i did not see documentation on this… and i was worried that it might cause an issue…

So in short… if all my sites I develop on Wappler all have the same Secret Keys… it would not be a security risk… so the same Secret Key cab be used on all sites? i guss that is the question

I do not believe there is any security risk involved as nothing is subject of any form of reverse decryption.
The solution i suggested would add an extra level of security but I do not think it is required.

1 Like

To address the concern here: having the same secret key will NOT mean two users with same password in the system/user-table will get cross access.

1 Like

The only people who can gain access to each site are those who already have the login details i.e username and password. The secret key is irrelevant.

It is not possible to gain access by reference to the secret key only, it is only 1 of many levels in the security stack.

1 Like