Problem:
The API key generated with the vusion manager and embedded within a QR code for the purpose of configuring the vLink application to a specific store appears to be permanent. As such, in the event of the shared-secret being exposed, there is no mechanism to refresh/reset/rotate the key to curtail the exposure.
Narrative:
In the event that a user copies (takes a photo) of the configuration QR code, they effectively have the ability to configure the vLink application on any Android device to manage labels in perpetuity. While the potential fallout for this scenario is a limited risk (labels dissociated or mis-matched by a disgruntled employee, for example), providing a means for the api-key embedded in the QR code to be rotated would allow for unauthorized access to be revoked.
Example Redacted JSON Containing API Key Embedded in QR Code:
{"storeId":"mystore.1234","apiUrl":"https://api-us.vusion.io","env":"eusp","apimKey":"REDACTED","isPro":true}
Proposed Solution:
Provide a mechanism that allows the QR code encoded with the API key to be deprecated by way of invalidating the api key. This should generate a new API key and subsequently embed it in a new QR code.
Guest
Emmanuelle-
Great! Thank you for the consideration.
Thanks again,
-Will
Hi William,
This idea has been accepted. We will create a specific button to regenerate the API key to configure VUSION Link.
This button will only be accessible for "ADMIN" profiles.
BR,
Emmanuelle