Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@sap-ux/store
Advanced tools
This is a store for persistent data in Fiori tools.
Add @sap-ux/store
to your projects package.json
to include it in your module.
The main API to this module is getService()
. Given an optional logger and an entity name, this function will return an instance of a class with the following methods:
interface Service<Entity, EntityKey> {
read(key: EntityKey): Promise<Entity | undefined>;
write(entity: Entity): Promise<Entity | undefined>;
delete(entity: Entity): Promise<boolean>;
getAll(): Promise<Entity[] | []>;
}
Currently, 'system'
, 'telemetry'
and 'api-hub'
are the only supported entities. Support for 'user'
may be added in the future.
Unsupported entity names will result in an error being thrown.
The store supports storing values in operating system specific secure storage, like keychain on MacOS or secure storage on Windows. To disable access to secure storage, environment variable FIORI_TOOLS_DISABLE_SECURE_STORE
can be set.
(Please read the code for the system entity starting here for a concrete example: ./src/services/backend-system.ts)
This needs to needs to implement the Service<Entity, EntityKey>
interface shown above. This is what the external clients of the API will use.
Optionally, you may need to migrate data if the underlying schema changes. You may choose to do this as a single-shot one-off procedure or do it on the fly when any of the service methods are accessed. Code for an example migration service (no-op).
It is recommended that the DataProvider
interface be used to create a data provider for the new entity. This class' concern will purely be managing the persistence of the entity. The service interface may have other concerns like the data migration step in the system store.
Recommended interfaces to implement:
interface DataProvider<E, K extends EntityKey<E>> {
read(key: K): Promise<E | undefined>;
write(entity: E): Promise<E | undefined>;
delete(entity: E): Promise<boolean>;
getAll(): Promise<E[] | []>;
}
Implement the static side of the interface for the constructor:
interface DataProviderConstructor<E, K extends EntityKey<K>> {
new (logger: Logger): DataProvider<E, K>;
}
Data providers can delegate to data accessors.
The following data accessors are currently available:
This stores the entities on the filesystem inside the Fiori Tools directory (Uses: getFioriToolsDirectory()
from @sap-ux/common-utils
)
This stores information on the filesystem and the system's secure store.
Entity classes are simple. They don't do much other than list the properties that will be serialized. @serializable
and @sensitiveData
are two annotations that are understood by the hybrid store.
The system entity for example looks like this:
class BackendSystem {
@serializable public readonly name: string;
@serializable public readonly url: string;
@serializable public readonly client?: string;
@sensitiveData public readonly serviceKeys?: unknown;
@sensitiveData public readonly username?: string;
@sensitiveData public readonly password?: string;
...
...
}
Systems that are constructed using new BackendSystem({...})
will have the properties correctly persisted in the relevant medium by the hybrid data accessor.
Every entity needs an EntityKey
implementing this interface:
interface EntityKey<T> {
getId: () => string;
}
FAQs
NPM module for storing persistent data
The npm package @sap-ux/store receives a total of 152,609 weekly downloads. As such, @sap-ux/store popularity was classified as popular.
We found that @sap-ux/store demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.