feat: support storing, retrieving and refreshing encrypted secrets at account or asset level#2236
feat: support storing, retrieving and refreshing encrypted secrets at account or asset level#2236nhoening wants to merge 4 commits into
Conversation
… account or asset level Signed-off-by: Nicolas Höning <nicolas@seita.nl>
Signed-off-by: Nicolas Höning <nicolas@seita.nl>
…on initialiation there Signed-off-by: Nicolas Höning <nicolas@seita.nl>
Flix6x
left a comment
Flix6x
left a comment
There was a problem hiding this comment.
Probably some discussion points before proceeding?
| Provider strategies | ||
| ------------------- | ||
|
|
||
| Implement provider behavior behind a strategy interface. The core application |
There was a problem hiding this comment.
What? This came across to me as a very difficult to parse AI-written section.
(The linebreak pattern is a dead giveaway.)
|
|
||
| Persist encrypted access tokens with an ``expires_at`` value in ``secrets`` if | ||
| they need to be reused across workers. The database then becomes the shared | ||
| coordination point. Use a refresh margin that expires before the token itself, |
| * Replace any cached access token after the durable secret update succeeds | ||
| * Keep enough error context to tell users that reconnecting may be required |
Flix6x
left a comment
Flix6x
left a comment
There was a problem hiding this comment.
I was also thinking that this PR might need CLI logic to rotate the FLEXMEASURES_SECRETS_ENCRYPTION_KEY key, updating secrets accordingly. That is, decrypting secrets that were encrypted using the old key, and encrypting them with the new key.
I would suggest doing a follow-up PR for that. |
…ove plugin docs section Signed-off-by: Nicolas Höning <nicolas@seita.nl>
2 participants
Description
With this PR, secrets like refresh and access tokens can be stored on account or asset level in the db (encrypted).
This allows to stop saving them in configuration files as-is. This PR also adds supporting logic which manages token refresh cycles.
secretsfield on account and asset levelflexmeasures edit secretdocumentation/changelog.rstLook & Feel
None
How to test
I tested this in a plugin which connects to 3rd party platforms, by adding code which integrated with these new fields and utils. I added a
loginCLI command there, plusget_3rdparty_platform_access_token()helpers and explicit warnigns and errors.Further Improvements