Struggling with Securing Environment Variables in Deployed Desktop Apps
Hello, I'm creating an Avalonia desktop app that takes user input and generates a pdf by overlaying input text over a template image. The end result is a certificate for the completion of a canvas course for the interns at my company. The pdf generation is done, and I didn't have any issues with that.
However, I would like the end user, whoever is handing out a certificate, to have an email send to the certificate recipient when the pdf is generated. I've used Gmail SMTP to successfully send the emails, but I couldn't figure out how to secure the environment variables in the deployed app. I then tried setting up an AWS Lambda function to hide the environment variables, but now I have the API Gateway endpoint that I don't want hardcoded into my application. It seems like any solution to this will just continue to push the issue further back.
So, my question is: is there any way to deploy a .NET desktop application that does what I want it to do while keeping environment variables safe? My thought is that I might need to set up some kind of authentication and an actual web server on an ec2 instance to do this. Maybe I should just drop my goal of sending emails from within the application, but it seems like there would be some way to do this.
Any input and guidance would be appreciated! I've been trying to find a solution for over a week now with no luck.
8 Replies
Unknown User•2d ago
Message Not Public
Sign In & Join Server To View
@TeBeCo I see, that makes sense. So does that mean the only solution to what I'm trying to do would be to set up authentication?
I was trying to avoid that, since this app will only be used internally, but I suppose it still makes sense from a security standpoint. I just didn't expect that simply sending an email would turn out to require this much work haha
Only way is to never send the secrets to client but have an api that the desktop app sends a post request to
@Buddy I do have an api set up through AWS that routes requests to my lambda function, but I worry about exposing the url to the api in my app
All of the other secrets are now held in AWS
I'm brand new to AWS, so maybe there's something that can be done through there?
I'm pretty sure AWS has a keystore equivalent to Azure Key Vault where you can store secrets securely and read them from there
"AWS Secrets Manager" seems to be it
Is this an internal application only? In that case, could the user logon to an email account locally, storing their credentials on the machine (just like an email client I reckon)?
Is the mail account one that the user should not have general (full) access to?
Even if you put it in AWS, now you need to set up authentication for that. (Since I assume you don't want me, a rando on the internet, using it to send mail). At the end of the day, you need a way to answer "who is allowed to send emails". There are lots of ways to do that, but in general "if they have this program" is not a strong one. (Though it's better than "has access to the internet", like an unsecured AWS endpoint would)
Yeah, this sounds like a scenario where you would want authentication of some sort. If you're working in a company, you might be able to onboard to their authentic provider, ex. Microsoft Entra and just having a verified work email is good enough. By being authenticated, you end up with some sort of token (like JWT) that you can configure to work with your backend, which would validate it when it receives a request from your desktop app and has your backend generate the PDF and email it (if I read what your app does correctly).