Standalone username and password

[geetparekh]

This page describes the following:

standaloneUsername: A hidden config parameter enables you to set the username for standalone mode by default. Keep in mind this is a security risk, as it exposes the Neo4j username to anyone who can access the NeoDash deployment

standalonePassword: A hidden config parameter enables you to set the password for standalone mode by default. If this value is set connections are also made automatically. Keep in mind this is a security risk, as it exposes the Neo4j username to anyone who can access the NeoDash deployment.

Now, there are two ways to pass these variables: 1) through dist/config.json and 2) through environment variables (available within the container where we run the Neodash server) when using Docker image

For the first one, it is understandable that there is a security risk because the credentials are there in the dist/config.json and anyone having access to the deployment server, will be able to see it. However, for the second one, if the credentials are available through environment variables within the container, even then are the credentials exposed to someone who has access to NeoDash deployment? Does Neodash still write the credentials to a file exposing the credentials? In our case, we would be passing in environment variables to the container through Kubernetes secrets in our namespace/cluster for which we have measures to ensure security.

Expectation:

• Credentials passed through environment variables when using Docker image should not be exposed anywhere else by NeoDash (if it is doing that). Having the environment variables available securely would be user's responsibility.
• If Neodash does not currently expose credentials passed as environment variables anywhere else, then the documentation needs to be updated clarifying that.

[bowman-david]

To add some additional detail to the bug @geetparekh documented, when the standaloneUsername and standalonePassword environment variables are set in any of the following manners:

• In manual deployments as part of the config.json file
• In Docker deployments, as environment variables passed in at runtime

Regardless of how these attributes are set, the config.json file is publicly exposed via Nginx, including the values of the standaloneUsername and standalonePassword in plain text.

There are several possible paths to mitigation:

• When running in standalone mode, do not publicly expose the config.json file and instead let this be server-side only.
• When running in standalone mode, modify the Nginx policy to only allow reading of the config.json locally (not from client)
• When running in standalone mode, implement server-side rendering vs client side rendering. This is likely the most straight forward, and I recognize this will likely only be compatible with certain dashboard components on initial release, however the security risk mitigation would be helpful.

In any case, help articles describing deployment technique (in the meantime) need to be incredibly explicit on the security risk of Neodash dashboards when deployed either in public or internal hosting environments. I'd be happy to submit a PR to the documentation site that describes this nuance, if desired.