Graph-App, Best-Practice: How to supply graph's credentials from graph-app to backgroundprocess

[mmopitz]

Hi there, I'm currently in the midst of developing a graph-app for neo4j desktop.

What I want to do is:

1. spawn a java-background-process from the graph app
2. Execute a few cypher queries inside the java-background-process against the running graph (I simply used the cypher-java-driver for that)
3. return a result from the java-background-process to the graph-app

All of that works just fine! But currently my graph-app passes the server's credentials via command line to the background-process. This means that while my background-process is running, the credentials are visible in the process list. From a security point of view this is of course a nightmare (see attached screenshot)

Do you have any recommendations/best-practices on how to handle credentials in such a scenario? My first instinct was to pass the password via the background-proces's stdin. But I didn't find any documentation on how to achieve this.

Side Note: For project management reasons I can't pull the logic from the java-background-process into the graph-app. I also can't put the logic into a neo4j-plugin.

[mmopitz]

Update: We figured a way out. Using the nodeProcess-field in the legacy-api we were able to to supply the password via stdin:

window.neo4jDesktopApi.executeJava(parameters)
   .then(process=> {                             
      process.nodeProcess.stdin.setEncoding = 'utf-8';
      process.nodeProcess.stdin.write(password);
      process.nodeProcess.stdin.end();
      return process;
      })