I just wrote and uploaded a new payment plugin for PayFlowPro. I assumed that the logon credentials would be encrypted by the ISettingService. I just traced the execution and found that this is not the case. The login credentials for the merchant account (such as PayFlowPro, PayPal, Authorize.Net, etc) are being stored in the database in plain text. I know that customer credit card info is encrypted, and I think merchant account login info needs to be encrypted as well. Is there a way to do this already?
If not, I see two options.
1) I can encrypt this data just before the call to ISettingService.SaveSetting. I think this is a workaround, and not ideal.
2) I can extend ISettingService and it implementors to offer this functionality.
Does anyone else agree that storing this info in plaintext in the DB is foolish and risky? I doubt that I'm alone in this.
Encryption and Merchant Login
- 657
- 7576
- 8/10/2011
- United States
FlatNine wrote:
You're not alone in understanding the risk of storing sensitive information in plain text. I think the optimal solution would be to annotate class members that should be encrypted and create a new implementation of ISettingService that considers the new annotations.
I just wrote and uploaded a new payment plugin for PayFlowPro. I assumed that the logon credentials would be encrypted by the ISettingService. I just traced the execution and found that this is not the case. The login credentials for the merchant account (such as PayFlowPro, PayPal, Authorize.Net, etc) are being stored in the database in plain text. I know that customer credit card info is encrypted, and I think merchant account login info needs to be encrypted as well. Is there a way to do this already?
If not, I see two options.
1) I can encrypt this data just before the call to ISettingService.SaveSetting. I think this is a workaround, and not ideal.
2) I can extend ISettingService and it implementors to offer this functionality.
Does anyone else agree that storing this info in plaintext in the DB is foolish and risky? I doubt that I'm alone in this.
If not, I see two options.
1) I can encrypt this data just before the call to ISettingService.SaveSetting. I think this is a workaround, and not ideal.
2) I can extend ISettingService and it implementors to offer this functionality.
Does anyone else agree that storing this info in plaintext in the DB is foolish and risky? I doubt that I'm alone in this.
You're not alone in understanding the risk of storing sensitive information in plain text. I think the optimal solution would be to annotate class members that should be encrypted and create a new implementation of ISettingService that considers the new annotations.
public class MerchantSettings {
public string Username {get; set; }
[SettingStorageFormat(Format.Encrypted)]
public string Password{get; set; }
}
- 16
- 309
- 10/21/2011
- United States
I would love to dive in and implement it like that. For now, I think I'll simply add encryption/decryption to the getters and setters in the settings class of my payment plugin.
This is mostly due to lack of time, but also that for this project I do not want to be using a non-standard version of nopCommerce. By that I mean if I were to add a new implementation of ISettingsService, it may not be available as a production release for a while. After I'm done with this current project, I'll circle back ad do it as you suggested.
By the way - is there a library hook where I can grab encryption/decryption? I already have some routines that utilize the Microsoft Cryptography API, but I wouldn't want to add them (about 10-15 lines each) if something similar already exists in the library.
This is mostly due to lack of time, but also that for this project I do not want to be using a non-standard version of nopCommerce. By that I mean if I were to add a new implementation of ISettingsService, it may not be available as a production release for a while. After I'm done with this current project, I'll circle back ad do it as you suggested.
By the way - is there a library hook where I can grab encryption/decryption? I already have some routines that utilize the Microsoft Cryptography API, but I wouldn't want to add them (about 10-15 lines each) if something similar already exists in the library.
- 657
- 7576
- 8/10/2011
- United States
FlatNine wrote:
FlatNine, checkout the IEncryptionService. Just inject it where you need encryption or use the resolve functionality (e.g. EngineContext.Current.Resolve<IEncryptionService>()).
I would love to dive in and implement it like that. For now, I think I'll simply add encryption/decryption to the getters and setters in the settings class of my payment plugin.
This is mostly due to lack of time, but also that for this project I do not want to be using a non-standard version of nopCommerce. By that I mean if I were to add a new implementation of ISettingsService, it may not be available as a production release for a while. After I'm done with this current project, I'll circle back ad do it as you suggested.
By the way - is there a library hook where I can grab encryption/decryption? I already have some routines that utilize the Microsoft Cryptography API, but I wouldn't want to add them (about 10-15 lines each) if something similar already exists in the library.
This is mostly due to lack of time, but also that for this project I do not want to be using a non-standard version of nopCommerce. By that I mean if I were to add a new implementation of ISettingsService, it may not be available as a production release for a while. After I'm done with this current project, I'll circle back ad do it as you suggested.
By the way - is there a library hook where I can grab encryption/decryption? I already have some routines that utilize the Microsoft Cryptography API, but I wouldn't want to add them (about 10-15 lines each) if something similar already exists in the library.
FlatNine, checkout the IEncryptionService. Just inject it where you need encryption or use the resolve functionality (e.g. EngineContext.Current.Resolve<IEncryptionService>()).
- 657
- 7576
- 8/10/2011
- United States
FlatNine wrote:
You can vote for the work item here:
http://nopcommerce.codeplex.com/workitem/10302
I would love to dive in and implement it like that. For now, I think I'll simply add encryption/decryption to the getters and setters in the settings class of my payment plugin.
This is mostly due to lack of time, but also that for this project I do not want to be using a non-standard version of nopCommerce. By that I mean if I were to add a new implementation of ISettingsService, it may not be available as a production release for a while. After I'm done with this current project, I'll circle back ad do it as you suggested.
By the way - is there a library hook where I can grab encryption/decryption? I already have some routines that utilize the Microsoft Cryptography API, but I wouldn't want to add them (about 10-15 lines each) if something similar already exists in the library.
This is mostly due to lack of time, but also that for this project I do not want to be using a non-standard version of nopCommerce. By that I mean if I were to add a new implementation of ISettingsService, it may not be available as a production release for a while. After I'm done with this current project, I'll circle back ad do it as you suggested.
By the way - is there a library hook where I can grab encryption/decryption? I already have some routines that utilize the Microsoft Cryptography API, but I wouldn't want to add them (about 10-15 lines each) if something similar already exists in the library.
You can vote for the work item here:
http://nopcommerce.codeplex.com/workitem/10302