Search code examples
securitymodulekrl

KRL module that is configured with API key


I'm writing a KRL module for an API. The API requires an access key, and that needs to be provided by the ruleset that calls my module. My module includes my access key that is used by the in-module test rules.

The ruleset that uses my module provides the access key like this:

use module a421x99 alias SuperModule with access_key = "01234567";

1 - How do I write my module so that the access key doesn't leak into the generated Javascript?

2 - Suppose the calling ruleset doesn't provide an access_key. How do I protect my own access key that I put in the module for testing?


Solution

  • First of all, you ought to be including API keys using a key block in the meta, like this:

    key s3 {
      "access_key" : "--access_key--"
    }
    

    That's better than storing or passing keys in plain strings.

    Second, your module needs a configure using line in the meta (I'm assuming you already have one). Passing an empty hash as the default value will prevent your hard-coded key in the module from being used by a ruleset calling the module.

    configure using s3keys = {}
    

    Finally, in the global block do something like this:

    usekeys = s3keys || keys:s3();
    

    This tells KRL to use either the s3keys that was passed in by the calling ruleset or else the s3 key from the module's own meta block if your module is being used by itself. Even if someone uses your module, they will never get your keys:s3() because of the default value you set in the configure using line.

    Once you have usekeys, you can pick() out the pieces you need:

    access_key = usekeys.pick("access_key");
    

    Sam's Twilio module is a great place to refer for examples.