Persisting plugin specific parameters

[chrisa99]

Hi there,

Is there anywhere that I can persist information that can be accessed only by the plugin? For instance, external web address, user name, password etc...

I'd like to keep it out of my Javascript code as I've seen errors happen before and that gives me access to the js file through the console. So I can see these details if I store them in there which opens it up for abuse. Plus that's not very good developing by hard coding values in the code!

I've had a look through the guide, and I think that maybe a super forum key may be the way to go. But again, the guide says "Setting a key must be done from a user action.", so maybe that isn't the best way either.

I could add validation at the other end but I'd much prefer to only have these details available to my plugin. Would muchly appreciate any advice you have!

[Kami]

i'm not a plugin creator so i have no advice specific to this situation, but seeing "password" as an example of content being stored by javascript via plugin is very alarming. passwords should be securely stored and encrypted by back-end means, not client-side.

[Chris]

Oct 13, 2020 11:10:59 GMT -8 chrisa99 said:

Hi there,

Is there anywhere that I can persist information that can be accessed only by the plugin? For instance, external web address, user name, password etc...

I'd like to keep it out of my Javascript code as I've seen errors happen before and that gives me access to the js file through the console. So I can see these details if I store them in there which opens it up for abuse. Plus that's not very good developing by hard coding values in the code!

I've had a look through the guide, and I think that maybe a super forum key may be the way to go. But again, the guide says "Setting a key must be done from a user action.", so maybe that isn't the best way either.

I could add validation at the other end but I'd much prefer to only have these details available to my plugin. Would muchly appreciate any advice you have!

Plugins have no inalienable rights except those that are conferred upon it by the rights of the user on whose device it is currently executing. Plugins do not execute on the server but rather in the browser environment of the user so whatever data a plugin is supplied would be governed by the access of the user currently executing it. A plugin cannot enter a restricted board for example if the user on whose device it is running has no such access, if it were running on an admin's device rather than a regular user then that would be a different story.

With that in mind, the data that a plugin would be privy to would be based on the permissions the current user has and would either be included in the source code or obtained through XHR communication. You have to create your own privacy since there is no expectation of privacy in a plugin except in the case of a private user key where that data is only available if the user tied to that data is executing the plugin. If you want private data to be kept private yet used in a public forum (accessible to all, such as a secret API key) then you would probably need a proxy server that can store that private data and act as a go-between for the user and the entity that needs that data or one by one have each user add that data to their private key. The other option would be to encrypt the data so even when viewed it would look like gibberish to the uninitiated but be sure that what can be encrypted can generally also be decrypted and all your data are belong to us.