Help with connecting to Sisense instance

herajapakse · ‎07-02-2024

The current documentation advises configuring the connection with the following setup:

export const SISENSE_CONTEXT_CONFIG: SisenseContextConfig = {
    url: '<instance url>', // replace with the URL of your Sisense instance
    token: '<api token>', // replace with the API token of your user account
};

This approach involves passing the API token directly from the frontend, which raises security concerns. Can someone please recommend a more secure method for establishing the connection to the Sisense instance, as exposing the API token in the frontend does not seem ideal.

steve · ‎07-04-2024

hi @herajapakse

You shouldn't use API Tokens like this in production, for the reasons you state. We're going to update our docs soon to reflect this more strongly.

Most customers use Single Sign On (sso) for embedded use cases, and the Sisense platform has built in support for this (not specific to Compose SDK, but holistically). If SSO is configured for Sisense, then your Compose SDK configuration is pretty simple, just set ssoEnabled = true as documented here https://sisense.dev/guides/sdk/getting-started/authentication-security.html#single-sign-on

There are links from there to documentation on how to configure SSO on the Sisense platform side, and if you want to use your existing application as an identity provider then you should check out the basics on making a JWT handler that could be served from your application and have Sisense call that whenever someone is trying to authenticate with Sisense https://sisense.dev/guides/accessSecurity/jwt/

This can sometimes be a topic that reads more complicated than it actually is, so feel free to reach out to your customer success representative or support if you need some clarification on what to do.

FYI I don't think suggestion #2 below is relevant, since it's talking about JDBC connections, which is something else.

Thanks

Steve

View solution in original post

DRay · ‎07-02-2024

Hi @herajapakse.

You're absolutely right to be concerned about the security implications of exposing an API token directly in the frontend. It's indeed a best practice to minimize exposure of sensitive credentials to prevent misuse and unauthorized access. We have documentation on the ComposeSDK site here: https://sisense.dev/guides/accessSecurity/

Here are a few strategies that you could use to securely establish a connection to your Sisense instance without exposing sensitive information in the frontend:

1. Backend Proxy:
Perhaps the most effective approach is to use a backend server as a proxy. In this configuration, the backend server holds the API token and interacts with Sisense on behalf of the frontend. The frontend communicates with your backend server using endpoint routes that you define, and then the backend server handles Sisense API requests.
Steps:
- Create API routes in your backend application (e.g., Node.js, Python Flask, etc.).
- Store the Sisense API token securely in the backend, using environment variables or encrypted secrets management tools.
- Use these routes to fetch data from Sisense by making HTTP requests to your backend instead of directly to Sisense.
- Optional: Implement caching in the backend to optimize performance.

2. OAuth2 with Sisense: https://docs.sisense.com/main/SisenseLinux/configuring-the-jdbc-connector-to-use-oauth.htm
Sisense supports OAuth2, so you can implement an OAuth2 flow. Your users would authenticate themselves, and the system grants a time-limited access token which is safer to handle in the front end.
Steps:
- Configure the OAuth2 setup in Sisense.
- Implement OAuth flow in your frontend to retrieve the token.
- Use the token to make API calls from the frontend, without needing to expose a permanent API token.

3. Environment-Specific Tokens:
For environments where a backend isn't feasible, consider using environment-specific, limited privilege API tokens, and ensure they are stored securely (e.g., using environment variables or web security measures like HTTPS).
Implementation:
- Generate separate tokens for development, testing, and production.
- Leverage the Sisense security model to restrict what each token can access or do.
- Ensure communications are made over HTTPS to secure the requests.

Example (Backend Proxy with Node.js):
Here’s a basic example of what the Node.js backend function might look like for forwarding requests to Sisense:
Javascript&colon;

const axios = require('axios');
require('dotenv').config();
app.get('/api/sisense/data', async (req, res) => {
try {
const response = await axios.get('https://your-sisense-instance/api/v1/data', {
headers: {
'Authorization': Bearer ${process.env.SISENSE_API_TOKEN}
}
});
res.send(response.data);
} catch(error) {
res.status(500).send('Error retrieving data');
}
});

In this setup, you make sure only your backend app directly handles the Sisense API token, considerably reducing the risk of unauthorized exposure.
Please verify which of these approaches best fits your situation and infrastructure, and don't hesitate to ask if you need further detail on any of these suggestions!

Have a great day!

David Raynor (DRay)

steve · ‎07-04-2024

hi @herajapakse

You shouldn't use API Tokens like this in production, for the reasons you state. We're going to update our docs soon to reflect this more strongly.

Most customers use Single Sign On (sso) for embedded use cases, and the Sisense platform has built in support for this (not specific to Compose SDK, but holistically). If SSO is configured for Sisense, then your Compose SDK configuration is pretty simple, just set ssoEnabled = true as documented here https://sisense.dev/guides/sdk/getting-started/authentication-security.html#single-sign-on

There are links from there to documentation on how to configure SSO on the Sisense platform side, and if you want to use your existing application as an identity provider then you should check out the basics on making a JWT handler that could be served from your application and have Sisense call that whenever someone is trying to authenticate with Sisense https://sisense.dev/guides/accessSecurity/jwt/

This can sometimes be a topic that reads more complicated than it actually is, so feel free to reach out to your customer success representative or support if you need some clarification on what to do.

FYI I don't think suggestion #2 below is relevant, since it's talking about JDBC connections, which is something else.

Thanks

Steve

DRay · ‎07-08-2024

@steve Thank you for pointing out my suggestion 2. I didn't catch the JDBC connection part of it.

David Raynor (DRay)

DRay · ‎07-09-2024

Hello @herajapakse.

I wanted to follow up to see if the solutions offered worked for you.

If so, please click the 'Accept as Solution' button so other users with the same questions can find the answer faster. If not, please let us know so that we can continue to help.

Thank you.

David Raynor (DRay)

DRay · ‎07-12-2024

Hello @herajapakse,

I wanted to follow up to see if any of the solutions offered worked for you.

If so, please click the 'Accept as Solution' button on the appropriate post so other users with the same questions can find the answer faster. If not, please let us know so that we can continue to help.

Thank you.

David Raynor (DRay)

herajapakse · ‎07-15-2024

@DRay the solution from @steve worked for me as we already had SSO for embedded dashboards.

DRay · ‎07-15-2024

That's great to hear! I'm glad you are up and running. Thank you for coming back and letting us know.

Please let us know if there is anything else we can help you with, and please feel free to browse the Community to see if other folks have questions you can answer.

Have a great day!

David Raynor (DRay)

Sisense Community

Help with connecting to Sisense instance