Symptoms
I have a property with encrypted attribute but cannot get the value from my custom UI, access is allowed to the service I'm trying to get it from:
"access": {
"owner": true,
"admin": true,
"referrer": true
}
Cause
Since POA 5.5.2 it is not possible to get value of an encrypted property from custom UI: secure information should not be sent in plain text since it can be easily extracted using a debugger.
Encrypted properties are signified by:
@encrypted
tag in PHP runtime code. Some built-in types (like service users) have encrypted properties as well (passwords).
Resolution
Application back-end can still get values of all properties when authenticating with application certificate. Using a certificate is crucial to get these properties decrypted. In essence, it is not a problem of owner, admin or referrer access, but a problem of type of authorization.
Example
Your application's resources are provided to POA service users (your resource has a relation to service user in other words) and you need to know the password of a service user. If your application uses the PHP runtime library:
....
// imagine your resource has a link to service user called 'user'
/**
* @link("http://aps-standard.org/types/core/service-user/1.0")
* @required
*/
public $user;
....
// from backend, we can fetch encrypted properties of the user object, including password
public function provision() {
...
$apsc = \APS\Request::getController();
$user = $apsc->getResource($this->user->aps->id); // here the $user variable contains full representation of user object, including encrypted fields like passwords
$password = $user->password // now I can access the user's password
$password = $this->user->password // or without fetching with getResource
...
}
Note: For testing purposes, you can query APS bus with application instance token (pem.APS.getApplicationInstanceToken OA API method) and it will be effectively the same as authorizing via certificate. You will be able to see encrypted properties in this case.