Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@descope/access-key-management-widget
Advanced tools
.env
fileIn the widget package create an .env
file which includes;
DESCOPE_BASE_URL= # env base url, default: "https://app.descope.com"
DESCOPE_PROJECT_ID= # your Descope's project ID
DESCOPE_TENANT= # tenant ID
DEBUG_MODE= # "true" / "false", default: "false"
DESCOPE_THEME= # "light" / "dark" / "os", default: "light"
DESCOPE_WIDGET_ID= # default: "access-key-management-widget"
<script src="https://cdn.jsdelivr.net/npm/@descope/access-key-management-widget/dist/index.js"></script>
<descope-access-key-management-widget
base-url="<DESCOPE_BASE_URL>"
project-id="<DESCOPE_PROJECT_ID>"
tenant="<DESCOPE_TENANT>"
debug="<DEBUG_MODE>"
theme="<DESCOPE_THEME>"
widget-id="<DESCOPE_WIDGET_ID>"
></descope-access-key-management-widget>
Use widget-id access-key-management-widget
for admin view, to manage all tenant users' access keys.
Use widget-id user-access-key-management-widget
for user view, to mange access key for the logged-in tenant's user.
run npm start
to start the widget.
In order to work with the widget, you must be logged in as the tenant admin In case you are not authenticated, a login flow will run first, and after logging in, the widget will be rendered
/app
- contains index.html
/lib
- widget's source codelib/widget
- widget related implementationslib/widget/api
- Logic related to API callslib/widget/mixins
- Widget specific logiclib/widget/state
- State management logicThe widget is composed of mixins, each mixin contains specific logic parts, and sometime exposes an API that can be used in other mixins.
Mixins can be composed on top of each other, so we can create new mixins by composing several mixins together.
Functions that create mixins, can get a configuration, and returns the mixin functions.
Since mixins are composable, in some cases we want to make sure a mixin is loaded only once. For example: When there is no need for its logic to run multiple times when composed in different mixins.
For this case we have a wrapper function (createSingletonMixin
) to ensure that a mixin is loaded only once, regardless how many times it will be composed.
Mixins should be wrapped with the createSingletonMixin
wrapper function, unless there is a reason for running the mixin's logic multiple times.
We're using several tools to handle the widget's state:
An abstraction layer that provides an API for components, and enables handling interactions with components within the widget.
The motivation to use drivers is to decouple the widget's code from the component's implementation, and therefore it's important to interact with components only using drivers (and not relying on component's implementation details).
Widget UI is composed of @descope/web-components-ui
, which is loaded during the widget init in runtime.
For optimization, we load only the relevant components, defined on the widget screens DOM.
Since screen are fetched dynamically, when developing a new screen for the widget you will probably want to use mock templates. To do so, simply replace the call to fetchWidgetPage
with a string which includes your HTML.
In some cases you want to make changes to components anf see how it affects the widget. To do so, you need to build web-components-ui
and serve the dist
folder from your machine (with npx serve
or other util).
Add the key base.ui.components.url
to your localStorage and set its value to the URL of the served dist umd/index.js
file.
Pay attention that theme changes will not take affect until the components
FAQs
Descope access key management widget
We found that @descope/access-key-management-widget demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.