Vulnerability in EPiServer.Forms
I am integrating ImageShop (DAM) into my Optimizely project and need to have my configuration setup in appsettings.json like this:
"token": "<api key>"
We are currently storing API-keys in DXP's app secrets, but in this case it needs to be added to appsettings.json. The documentation does not provide any way of substituting secrets with variables (something you can do with Azure Key Vault). How can I add the key into appsettings while also concealing its value?
can you share the document for setting up ImageShop? there might be away to override ...
I believe the way to do this is very similar to how key vault references are added in azure portal.
If you have access to a DXP environment in azure if you look at the connectionstrings you will will notice they have a key vault reference.
What you can do is get in touch with Opti support to request adding your values to key vault.
Once they do this you should receive the references and then add those to your appsettings.
I'm not sure if I understand your question correctly
If you need to manage sensitive data for local development, you can use asp.net core security manager
The key you set in secret manager will need to be same as the key you stored in DXP appsetting in PaaS portal, so when you app gets deployed to DXP, it will automatically use the value stored in DXP appsetting
There is one caveat from what I recall that the DXP appsetting does not support nested level configuration setup. In other words, the way you stored your API key in the json won't work.You need to move your secret (token) to the root level within the AppSettings.json.
I hope above helps.
The addon in question has code that reads from appsettings.json directly, it's not in OP's control
@Laurent - I think the approriate long term action here is to raise the issue with ImageShop so they update their class to allow reading from keyvault