I have created a resource with only uses the base API url
I'm using a Query in my APP where i store my Client ID and Client Secret in the body to get the bearer token.
This token expires in 3000
My plan is to setup a query to post the file to our file storage.
Note I have never used API before and is in the process to learn this now.
As the Client Secret is stored as plane text in the query, I have security question to this?
maybe set up 2 resources, One with Client ID and Client Secret and one using the token from the first?
How to Post file but request new token if it has expires
Just wondering: Is this your own file storage or is it a service like drive/Dropbox?
Usually you have a client secret that you send as a header to the service. You’ll receive a token or a session id. The token you store on your client side. For instance in a variable, local storage or in memory. I guess you do not really need to store it. I do not now if it makes a different security wise though. I imagine you can extract the token from a variable or as a result from a rest request either way. That’s why you let it expire.
The token can be set in a header in the second request. So it doesn’t have to be in the body. Also I do not know if it would have any effect on security if it is in the body or in the header. Seems to me that both can be extracted.
Secrets, passwords and client_ids should usually be stored in environment variables. You can read about it here:
This way you can reuse them and store them outside your app. This way if you commit or export your app, it doesn’t contain sensitive data.
The file storage is in house on our server.
I'm using Retool on prem and this do not have a resource to mappup a local disk, I need to use our REST API
Will setting up a separate REST API resource with Authentication be more secure as the client Secret will not be showing?
Example:
Setting up Auth for REST APIs can be a little tricky to understand at first(or at least it was for me ) but I would highly recommend checking out our docs on our built in Auth options and evaluate if any of these would meet you and your team's needs.
We also have Custom Auth as well for cases that are not covered with our built in auth options.
Other users have asked about security of tokens/Client IDs/Client Secrets and I can confidently say that Retool Queries will obfuscate these in most if not all cases.
I believe we have docs explaining that process as it is mostly set up by default, based on the name you give the tokens in your request header. With the token saving being done automatically.
On your second point, on what happens when the token expires. Our built in auth options should detect the token has expired and prompt the user to re-auth into the auth provider. Then once they have completed the re-auth flow they will be able to make the REST API query as normal with the new token automatically attached to the query's request!
It is a very complex process but definitely check out our docs and browse the forums as there are a whole lot of user posts about Auth options and custom auth for REST APIs