How to avoid exposing password of neo user?

[diyoyo]

Hi, is there another way to avoid having the password in clear text within the index.html file? It looks very unsafe to me.

I know I could make sure to only use a view only user that has only access to the views we want to show, but that would still not satisfy me enough.

Any help? Thanks.

[Popotojs]

Hi, You can create a proxy for the driver on a backend server and only use the credentials there.

[diyoyo]

Could you guide me a little more in that direction please? What is a driver proxy? Thanks.

[Popotojs]

I answered a bit quickly, a proxy might be hard to put in place on a backend server as you would have to support the full driver API.

You have other options detailed here: https://community.neo4j.com/t/protect-the-database-login-credentials-when-working-with-javascript/1052/3

In short you can

• Add a user login form on your client like in Neo4j Browser
• Implement a custom authenticator https://neo4j.com/docs/java-reference/current/extending-neo4j/security-plugins/
• Use a custom runner https://github.com/Nhogs/popoto/blob/master/src/runner/runner.js to call a backend service to get query results