10

I am searching on the way for safe storage of app secrets in blazor webassembly application. We can find details for Server Side application as in below MSDN documentation.

https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1&tabs=windows

How can we use these kind of secrets for Blazor WebAssembly application which completely runs in client browser?

My basic scenario is, need to keep the passwords, product key (licensing key) information out of application code. For example, we load license inside the static main method of Program.cs.

https://i.stack.imgur.com/kCrV1.png

 public class Program
    {
        public static async Task Main(string[] args)
        {
            //want to access the product key here and need to avoid hardcoding
            SomeThirdPartyLibrary.RegisterLicense("product-key");
            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("app");

            builder.Services.AddTransient(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });

            await builder.Build().RunAsync();
        }

I have searched in documentation of blazor and not able to find any details for this. Please help me to find the recommended way resolving this in Blazor webassembly.

(for server-side, we have variety of option but for client-side what might be the recommended way)

user3860630
  • 169
  • 1
  • 6
  • Who do you want to keep it from? The user? – H H Jul 02 '20 at 15:51
  • My scenario is like, want to get the password from the secret file in the static main method of Program.cs. For that, I am checking multiple ways but I can do it easily in server side but not in client side. – user3860630 Jul 02 '20 at 16:15
  • If my requirement is wrong, then please suggest me the recommended way of keeping away the app secrets from the application code. Anyone, please help me. – user3860630 Jul 02 '20 at 16:34
  • Does this answer your question? [How to protect/encrypt data stored in session/local storage in Blazor WebAssembly](https://stackoverflow.com/questions/62787148/how-to-protect-encrypt-data-stored-in-session-local-storage-in-blazor-webassembl) – Trenton McKinney Jul 31 '22 at 17:18

2 Answers2

1

If you store it on the client, it's not safe.

There is an experimental MS nuget package that claims to make the storage safe by encrypting it - Microsoft.AspNetCore.ProtectedBrowserStorage

You can read how to use it here https://learn.microsoft.com/en-us/aspnet/core/blazor/state-management?view=aspnetcore-3.1

Peter Morris
  • 20,174
  • 9
  • 81
  • 146
  • Thank you. I need to access the details in program.cs before initializing blazor. Any help for this? – user3860630 Jul 02 '20 at 16:56
  • 3
    As per the link, Microsoft.AspNetCore.ProtectedBrowserStorage is only supported in Blazor server projects. – WinFXGuy Feb 03 '21 at 00:02
  • But how will you be doing calls to a database server? – Toolkit Mar 20 '21 at 18:22
  • 2
    @Toolkit You NEVER give a client access to the database server, it is a security flaw. The client should talk to an API server, and that should connect to the server. – Peter Morris Mar 22 '21 at 09:57
0

you can use memory config by using MemoryConfigurationSource

example:

var appsettings = new Dictionary<string, string>()
{
   { "API:Key", "12345" }
};
var config = new MemoryConfigurationSource(InitialData = appsettings);
builder.Configuration.Add(memoryConfig);

then whatever you want to use it, just @inject configuration (in razor pages) or in your class program that will look like:

builder.Configuration.GetValue<string>("API:Key")
viendev
  • 11
  • Is this secure? Can a hacker not have access to values saved in MemoryConfigurationSource? – WinFXGuy Feb 03 '21 at 00:03
  • `There's no .NET server-side dependency. The app is fully functioning after it's downloaded to the client.` So that means that the app will be calling DB server and you can see the traffic. I am assuming it is unsafe – Toolkit Mar 20 '21 at 18:21