Storing secrets is easy to get wrong but not something you ever want to actually get wrong. Check out this video on how best to manage secrets in your Power-Ups:
If you need to store sensitive information, such as an oauth token to a service other than Trello, we recommend that you use t.storeSecret
and t.loadSecret
to do so.
When storing a secret, Trello will generate a new encryption key for the member, if one doesn't yet exist for your Power-Up, and will encrypt the secret, and store it in the browser's local storage (on your Power-Up's domain, not on the trello.com
domain).
While this does mean that your user's may have to repeat the process on each browser they use, it also means their secrets are never sent to Trello, and therefore remain safe with the Power-Up itself.
1 2var t = window.TrelloPowerUp.iframe(); return t.storeSecret('token', 'shhh...its a secret');
It is possible that t.loadSecret()
can throw a Decryption failed
error when attempting, and failing, to decrypt a secret. This can happen if the encryption key stored in pluginData
has been removed via the user selecting Remove Personal Settings
from the Power-Up's settings menu. When using t.loadSecret()
, you should expect to catch this error.
If you are using this method, you'll want to make sure you catch and handle cases where access to localStorage is disabled in the browser. You should try to present the user with a helpful message that localStorage needs to be enabled for your domain.
To retrieve secrets that you have stored via t.storeSecret
you'll need to use t.loadSecret
. It will handle decrypting the secret before handing it back to you.
1 2var t = window.TrelloPowerUp.iframe(); return t.loadSecret('token') .then(function (secret) { console.log(secret); });
You can use this method to remove a locally stored secret (that was stored via t.storeSecret
).
Note that this will remove the encrypted secret locally, but will not remove or alter the encryption key stored in Trello. That's probably the behavior that you want, as removing or altering the encryption key would render all secrets stored via t.storeSecret
with that key useless.
1 2TrelloPowerUp.initialize({ 'remove-data': function(t) { // the user has pressed the remove personal settings button // let's imagine earlier we stored a secret like so: // t.storeSecret('token', 'shh its a secret'); // now we just want to clean it up return t.clearSecret('token'); } });
Rate this page: