I would be interested in hearing what techniques people use for this too.


On a recent project, I stored passwords and other configuration in a json file and used json-doc with map functions to access configuration from the file or a set of pre-set values.


---- config.json


{ "username": "name", "password": "pass" }


---


then in XQuery:


declare variable $configFile external := file:base-dir() || 'config.json';
declare variable $config := df:config-load($configFile);


declare %private variable $_:config-defaults := map {

   'username': 'test',

   'password': 'test'

}


declare function _:config($key as xs:string, $cfg as map(*)) {
  if (map:contains($cfg, $key)) then map:get($cfg, $key) else map:get($_:config-defaults, $key)
};

declare function _:config-load($uri) as map(*) {
  if ($uri) then json-doc($uri) else map{}
};


let $user := _:config('username', $config)

return $user



I hope this helps.


Vincent


From: basex-talk-bounces@mailman.uni-konstanz.de <basex-talk-bounces@mailman.uni-konstanz.de> on behalf of C. M. Sperberg-McQueen <cmsmcq@blackmesatech.com>
Sent: Saturday, June 25, 2016 7:02:52 PM
To: BaseX
Cc: C. M. Sperberg-McQueen
Subject: [basex-talk] storing passwords ...
 
Can any readers of this list recommend some reasonably prudent
technique for handling passwords that an XQuery module will need
to retrieve things via http?

I suppose there are two questions: (1) where do people store such
userid/password pairs? and (2) what's the best way to use them?

For storing, it has occurred to me that I can:

- hard-code them in the XQuery source
- store them in an admin-info document in the XQuery database
and look them up when needed
- don't store them at all but require the request to pass them in
as parameters (which offloads the burden of storing these things
onto the client)

The simplest way to use them is of course to inject them into the
URL, but I recall being warned that this means they can show up
in logs, so it's not a recommended practice.

Probably it is better to use http:send-request() with username
and password specified as attributes on the http:request method;
anyone who can confirm or deny this, please do.

I will be grateful for any and all guidance.

--
****************************************************************
* C. M. Sperberg-McQueen, Black Mesa Technologies LLC
* http://www.blackmesatech.com
* http://cmsmcq.com/mib
* http://balisage.net
****************************************************************