question

SSB-7585 avatar image
0 Votes"
SSB-7585 asked ajkuma-MSFT commented

Azure Notification Hub where to specify connection info?

Hi,

I am following the tutorial in the link below to send push notifications from my WebAPI - they are saying to specify the Notification Hub Name and the Connection string using dotnet user-secrets


Is there anyway i can just set these in the code directly?
or via the appsettings.json file?

I know its not best-practice, but this is a small app right now


dotnet user-secrets init
dotnet user-secrets set "NotificationHub:Name" <value>
dotnet user-secrets set "NotificationHub:ConnectionString" <value>

https://docs.microsoft.com/en-us/azure/developer/mobile-apps/notification-hubs-backend-service-xamarin-forms#create-an-aspnet-core-web-api-backend-application

dotnet-xamarinazure-notification-hubsdotnet-aspnet-core-security
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SSB-7585, Thanks for the question. Yes. as outlined in the doc, a more secure approach is to store the password as a secret.

As in general case, you can try with database connection string stored in appsettings.json.
Environment variables are used to avoid storage of app secrets in code or in local configuration files. Environment variables override configuration values for all previously specified configuration sources.


In a test case, consider an ASP.NET Core app in which Individual User Accounts security is enabled. A default database connection string is included in the project's appsettings.json file with the key DefaultConnection. The default connection string is for LocalDB, which runs in user mode and doesn't require a password.

During app deployment, the DefaultConnection key value can be overridden with an environment variable's value. The environment variable may store the complete connection string with sensitive credentials.

See 'Important':

0 Votes 0 ·

@SSB-7585, Adding more to the above:

Important: As you mentioned, it’s not a best practice, just sharing for additional info. Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. Additional measures to prevent disclosure of user secrets may be required.

Never store passwords or other sensitive data in source code. Production secrets shouldn't be used for development or test. Secrets shouldn't be deployed with the app. Instead, production secrets should be accessed through a controlled means like environment variables or Azure Key Vault. You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.

Example:

{
"ConnectionStrings": {
"Testspace": "Server=(localdb)\\mssqllocaldb;Database=Testspace-1;User Id=Testuser;Password=randompassword;MultipleActiveResultSets=true"
}
}

0 Votes 0 ·

P.S. I have added additional tags to receive insights from the respective SMEs/community.

0 Votes 0 ·

Hi does this apply for the Notification Hubs connections as well? Or just databases?

I'm not clear how to set the Azure Notification Hub Name and Notification Connection

0 Votes 0 ·

@SSB-7585, I understand you have stated "I know its not best-practice, but this is a small app right now" , could you please share the underlying requirement to not use dotnet user-secrets?
If it fits your requirement, the other best option would to be use KeyVault to store the connection string and hub name as per 'Azure Key Vault configuration provider in ASP.NET Core | Microsoft Docs'

As noted, it is not considered best practice to leave the connection string unencrypted locally.


0 Votes 0 ·
Show more comments

0 Answers