External Application Token is saved in a non-secure way

[miere]

Hi Dude,

We at ContaAzul are so impressed that you created an API wrapper. It seems well written and made for a good programming language. But, I would like to report a possible security issue.

Reading the source code figure out that the External Application Token is saved in a non-secure way. Please, define it as immutable parameter that the developer could fill during development time.

The ContaAzul API's External Application Token is an UNIQUE identifier to the application that wants to communicate with. Saving in a file, OR explicit in a source code it could be available for Crackers. Heruku's team encourage their users to adopt environment variable configurations.

[jnettome]

@miere Thanks for the feedback. I'm impressed with the speed for this contact.

So, I was doubtful about this key when i made my first implementation, with your message I see that I'm on the right track.
The key is not in fact being recorded in that file. That file is a fixture simulating the API return for /pub/requestkey, so this returning key I need to store to pass in every API request, am I right?

The keys that should be restricted are implemented as you suggested. Line 25 will be dropped out on next commit.

Makes sense or am I wrong?

(can you help me to get my API key?)

[velo]

Hi @jnettome,

Sorry for the lack of feedback on your question. We were unaware you had questions.
If that still a problem could you please send to [email protected], there it will be addressed properly!

Have a nice week!