The full connection string is displayed in the Hangfire dashboard

marcoCasamento / Hangfire.Redis.StackExchange

HangFire Redis storage based on original (and now unsupported) Hangfire.Redis but using lovely StackExchange.Redis client

Other

452 stars 108 forks source link

The full connection string is displayed in the Hangfire dashboard #72

Closed Cisien closed 6 years ago

Cisien commented 6 years ago

One of the first things I noticed when configuring the Hangfire.Redis.StacExchange storage layer was that the entire connection string is being displayed in the footer of the Hangfire dashboard, including the password.

How can I prevent it from displaying the password? If I can't, I'd like to request a change so the password part of the connection string is not displayed to everyone with the ability to login to the dashboard page.

redis://----------.redis.cache.windows.net:6380,password=---------------------------------------------,ssl=True,abortConnect=False/0

marcoCasamento commented 6 years ago

Which version of HF.core are you using ? I don’t have that problem

Cisien commented 6 years ago

Relavant Packages:

    <PackageReference Include="HangFire" Version="1.6.17" />
    <PackageReference Include="Hangfire.AspNetCore" Version="1.6.17" />
    <PackageReference Include="Hangfire.Redis.StackExchange.StrongName" Version="1.7.0" />

Initialization Code:

//ConfigureServices
var redisConnecton = ConnectionMultiplexer.Connect(Configuration.GetConnectionString("Redis"));
services.AddHangfire(a =>
            {
                a.UseRedisStorage(redisConnecton, new Hangfire.Redis.RedisStorageOptions
                {
                    Prefix = "pfx:",
                    SucceededListSize = 10000,
                    DeletedListSize = 1000
                });
            });

//Configure
app.UseHangfireDashboard("/jobs", new DashboardOptions { AppPath = "/jobs", StatsPollingInterval = 1000 });
app.UseHangfireServer(new BackgroundJobServerOptions {
                WorkerCount = 20
            });

Connection String in config:


  "ConnectionStrings": {
    "Redis": "-----------.redis.cache.windows.net:6380,password=-------------------------------,ssl=True,abortConnect=False"
  }

marcoCasamento commented 6 years ago

Oh, can you try accessing the dashboard not from localhost ?

Cisien commented 6 years ago

I found a similar issue over at the Hangfire repo: https://github.com/HangfireIO/Hangfire/issues/802

marcoCasamento commented 6 years ago

Yes, but as far as i remember it has been solved and now the dashboard only shows full info when accessed from localhost. Anyway, you can prevent the connectionstring to be displayed at all by setting DisplayStorageConnectionString = false; in DashboadOptions (see https://github.com/HangfireIO/Hangfire/commit/0394c63c0fa6b7590569f4be1b6d1a40aae4bc86)

Cisien commented 6 years ago

Interesting. I'm getting the connection string when hosting locally in docker (using the docker container ID or IP to access the dashboard).

It looks like the DisplayStorageConnectionString setting hasn't made it into the released nuget packages. I'll keep an eye open for that change. Thanks for the help!