Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets are viewable in plaintext in AppDaemon dashboard via app arguments #1992

Open
HomerAssistant opened this issue Apr 17, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@HomerAssistant
Copy link

What happened?

I am able to see secrets I've provided an application as arguments in my apps.yaml file. I specify the secrets in secrets.yaml and use !secret var_name in apps.yaml. However, I can still see the secret by navigating to the AppDaemon dashboard on port 5050 and viewing the app's arguments. The dashboard is accessible without a username or password on the local network. Please advise if there is a way to prevent this?

Clicking this discloses the secrets.

image

Version

4.4.2

Installation type

Home Assistant add-on

Relevant log output

No response

Relevant code in the app or config file that caused the issue

No response

Anything else?

No response

@HomerAssistant HomerAssistant added the bug Something isn't working label Apr 17, 2024
@acockburn
Copy link
Member

Hi there - the secrets mechanism is intended primarily as a way to facilitate passing around of config files without having them contain sensitive information of this nature.

By design, the APP parameters are visible in the dashboard, passing passwords as parameters is inherently insecure in any case and there are better approaches.

AppDaemon doesn't give you any specific help here but it has all of python available to you. If I wanted to solve this issue I would put the passwords in a file and read them from the app during initialize. If you wanted to lock that down further you could manually encrypt the passwords using something like passlib.

@acockburn acockburn added enhancement New feature or request and removed bug Something isn't working labels Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants