Create a Secure Secret and Use within Your Integration

If your integration is making requests to an API which requires an authorization token, that token can be securely stored and used through IFX. You may also have variables you need to define which change per environment, such as an API host URL. In this guide we will show you just how to handle these values.

Getting Started

IFX securely stores secrets for you in the format of name:value. While names and values can be modified, values will never be output once they’re stored.

Create or Manage a Secret

Using an API you can securely store one or more secrets for your integration. The API includes logic for you to create, edit or delete secrets. See Swagger doc.

Using a Secret

Caution

Do not store secrets in your repo!

This section will guide you on how to use a stored secret within your integration. Once you add the secret to a constant file and in your handler, it will be deployed along with your integration to sandbox and prod.

Node.js

Secrets are used at runtime. You do not have to re-deploy your code when you add/change secrets.

Steps

1. Create a file in the root of your project called .env if you do not already have one — this file will be ignored and should not be checked in to your repo. If you accidentally commit secret or sensitive information, you should be sure to squash that commit so it does not exist in your repo.

2. Inside of the .env file, define variables as needed. This file can be used to define variables that differ by environment, a URL for example.

Secrets and Variables on Local Environment

On local environment, you can store both secrets and variables. The value will be taken directly from the .env file.

.env

mytoken=12345
contentApiHost=https://api.sandbox.{myOrg}.arcpublishing.com

Within your code, the key is accessed by using process.env.['{key}']. Inside my handler:

console.log(process.env['mytoken'])
// Output: 12345

console.log(process.env['contentApiHost'])
// Output: https://api.sandbox.{myOrg}.arcpublishing.com

Danger

Remove console logs with sensitive information before deploying code!

Secrets and Variables on Sandbox and Production

Secrets

On Sandbox and Production environments, the value for Secrets will be taken from Secrets Manager. In this case I would add to Secrets Manager with a payload:

{
  "secretName": "mytoken",
  "secretValue": "67890"
}

console.log(process.env['mytoken'])
// Output: 67890

Variables

For non-sensitive variables you can use your environment files.

Sandbox Variables

.env.sandbox

API_HOST=https://api.sandbox.org.arcpublishing.com

handlerFile.js

const apiHost = process.env.API_HOST;
// Value: https://api.sandbox.org.arcpublishing.com

Production Variables

.env.production

API_HOST=https://api.org.arcpublishing.com

handlerFile.js

const apiHost = process.env.API_HOST;
// Value: https://api.org.arcpublishing.com

Java

Caution

These properties files should not be checked in with the project.

Local Secrets and Variables

Local testing can be done by creating src/main/resources/secret-local.properties and adding the following entry:

// ****** This file should not be checked in with the project!
# Local Secrets Property file
testSecret=ABCDEF12345

For sandbox and production enviroments

For this example, we assume the following:

• An integration called test-123 has been created
• A secret with a name of testSecret and value ABCDEF12345 have been created
• A event handler for commerce:verify_email has been created

The code below shows an HTTP request using a secret. The instructions are in code comments // ******

// ******
// Add the name of the Secret int a constants file
// ******

package com.stagingmultisitelarge.constants;

public class SecretConstants {
  public static final String TEST_SECRET_KEY = "testSecret";
}

package com.stagingmultisitelarge.events;

import java.io.IOException;

import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.HttpClientBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

// ******
// Add the Environment object to the Handler constructor
// in order to allow the secrets to be read
// ******
import org.springframework.core.env.Environment;

import com.arcxp.platform.sdk.annotations.ArcSyncEvent;
import com.arcxp.platform.sdk.handlers.async.EventHandler;
import com.arcxp.platform.sdk.handlers.async.EventPayload;

// ******
// Include the SecretConstants object
// ******
import com.stagingmultisitelarge.constants.SecretConstants;

@ArcSyncEvent("commerce:verify_email")
public class MySecretApiHandler extends EventHandler {

  private static final Logger  LOG = LoggerFactory.getLogger(MySecretApiHandler.class);

  private final Environment env;

  private final HttpClient customHttpClient;

  @Autowired
  public MySecretApiHandler(Environment env) {
    this.env = env;
    this.customHttpClient = HttpClientBuilder.create().build();
  }

  @Override
  public void handle(EventPayload eventPayload) {
      // ****** Use the constant to access the secret's value
        // by looking it up on the Environment object
        // ******
    String testSecretValue = this.env.getProperty(SecretConstants.TEST_SECRET_KEY);

    HttpGet getRequest = new HttpGet("https://jsonplaceholder.typicode.com/posts");
    // ******
    // Add the secret to your http call
    // ******
    getRequest.addHeader("Authorization", "Bearer: " + testSecretValue);

    try {
      this.customHttpClient.execute(getRequest);
    } catch (IOException e) {
      LOG.error("API Call Failed", e);
    }
  }
}

---

Help us improve our documentation! Let us know if you do not find what you are looking for by posting suggestions to Our Ideas Portal.