How to securely store username and password for an API within my app

Hi all

Complete newbie homey app and Java script developer here, building my first app and I’m looking for advice on how to securely store a user’s username and password entered into app settings for my app.

The app accesses an API that uses JWT for authentication. Each issued JWT expires after 7 days so I will periodically make a new API call to get a new JWT. That API call takes as parameters the user’s username and password for the api.

Since this is security related I don’t want to do this by trial and error and get it wrong. Please could someone point me in the right direction or even better point me at a code example of how best to persist a username and password entered into app settings in my homey app?

Thanks in advance.
Jon

See ManagerSettings - Homey Apps SDK v3

this.homey.settings.set('username', username);

to get

const username = this.homey.settings.get('username');

Perfect. Thanks Mickel

Please do know that your App Settings can be read by ANY App that has access to the Athom-Api (no permission for your app is needed).
There are a lott of ways the settings are include, but for example:
return await Homey.apps.getAppSettings({id:'nl.qluster-it.DeviceCapabilities'})
So, some apps, like my lovely Device Capabilities, will “recieve” that information also (It itterates through the Apps).

So, the only way to be save (well, relativly) is to have it encrypted and have the keys only in memory (your app).

Reading out your sourcecode is not possible with other apps (atm), so it’s “save” to have active keys in memory on your own Homey.

Thanks Arie. I will look into how I can do encryption then

1 Like

Devices also have a Store for saving data. It might be that other apps cannot read that, im not sure.
You can create a device like AVD (it uses that store) and then check the device in HS to see if you can see the store value.
(Sorry, i cant do it, im on my phone)

@Jonathan_Draper in that kind of cases i have a env.json with a secret key. And then I encrypt the password with that key.

encrypt function Example here: com.synology/helpers.js at main · martijnpoppen/com.synology · GitHub

It’s been suggested by Athom that with the new Homey Pro all files belonging to an app will be readable by adventurous users.

2 Likes

As far as i know the env.json is not accessible :confused:

Yes, for now. But on the new Homey Pro 2023 it will be different, as written in the developer update.

The new Homey Pro can be fully backed up to a Mac or PC using USB. This means the entire operating system & userdata is saved .Because of this new feature, it’s considerably easier for users to access and/or change Homey Pro’s filesystem, and therefore an app’s JavaScript code and environment variables.

The question how information in a env.json will be protected remains unanswered, not in the AMA nor on slack.:

2 Likes

Ah yes…
I sent athom a message, lets hope they’ll explain that part

I hope they will answer you :wink:

1 Like

This is what they wrote in the developer newsletter from October 12th:

The new Homey Pro can be fully backed up to a Mac or PC using USB. This means the entire operating system & userdata is saved.
Because of this new feature, it’s considerably easier for users to access and/or change Homey Pro’s filesystem, and therefore an app’s JavaScript code and environment variables.

1 Like

Yes but you might expect they’ll provide a alternative for env vars right :slight_smile:

Well…

1 Like

Ah well… :frowning:

Okay @Jonathan_Draper , i just checked:

I cannot seem to find a way to read the Store Values from devices from another App.

Meaning, you could just store the Username and Password, or a Random Generated Encryption Key, in A device’s Store.

Afaik, This can only be read by the App itself. Even the Webpi Playground cannot access this information as far as i can see (if i am wrong, please let me know).

I understand a User could open it’s own Homey and access the fields, but that’s not an issue right?
You asked about saving it’s username and password, i guess this is the savest way.



Now you talk about JWT, so i’ll asume you also have some other “secret” key (i know it can work without, but then the App-ID or whatever).
I don’t know where to save that, since, as you can read above, in a short while ,ever user can read your source code (ncluding the env.json).

But for storing a username and password from the user itself in a save way that other apps or remote access cannot read it, the Device Store seems to me like the fitting solution.

1 Like

Thank you @Arie_J_Godschalk for your detailed reply. This is great. For the JWT I don’t think I will need to persist that since I can make an API call with the username and password to get a JWT back and just keep that in memory as far as I can tell. All the other calls then take the JWT and an app ID which is just public for all calls to this api

Thank you again for your help

1 Like

To be honest, while @Arie_J_Godschalk method seems to be a solution it is also based on his assumptions and the fact he can see no method to retreive the stored information in from outside the app.
It’s not that I’m not trusting Arie’s knowledge but I would go for the facts and not assumptions so I suggest you have this method confirmed by Athom.

1 Like

Indeed, it’s an assumption and if you can verify it, that would certainly be the smart thing to do!

Also, i just checked basic homey ways to check the access, i have not tried any real hacks or anythink and i am not very knowledgeable about node.js.