https://netsuiteprofessionals.com logo
Join Slack
Powered by
What's the secret to working with a password field...
# suitescript
d
What's the secret to working with a password field on a custom record? Wanted to use on but I can't get the data to use it in the scripts.
s
I've only worked with password fields as done in a suitelet to protect credentials... if that's what you're talking about then you can only refer to the data, you can't actually get it. You can refer to it using curly brace with the assigned guid.
b
The Table of Custom Field Type Descriptions details how you work with password fields
its current intended purpose is to mask input
the legacy behavior is that you can use a search to get the password field, which will give you the hash of the field
you can use nlapiEncrypt with the default sha1 parameter to compare a input string to see if it matches the password
d
Tried to use N/query to get data with no luck
I need the field as a stored value that I can use to access other services
b
the deprecation noted in the documentation should scare you back to doing your own hashing
s
the 'password' field type in that table doesn't have any deprecation warnings in my link.
but the main point for @dcrsmith is you cannot get the original value back from that field.
b
sha1 for nlapiEncrypt is deprecated
s
it sounds like he wants to securely save a password, then retrieve the password plaintext for use elsewhere - so hashing isn't the solution
✔️ 1
does your table have more than this @battk
@dcrsmith perhaps you need 
Form.addCredentialField()
b
i was describing the deprecation noted in nlapiEncrypt
👍 1
d
In this case @stalbert is correct.
I may just go back to plain text. It's not real critical in this case. Just a little confused why it even exists as an option if you can't later use it.
b
if you are using the password in a https request, a credential field is the overcomplicated option
s
what is the simple solution? I always want simpler solutions!
d
Yes, this is being used to call a 3rd part integration.
s
the standard recipe I've seen is 1. capture password using a Suitelet with 
Form.addCredentialField()
2. save the returned handle to the credential (GUID). 3. refer to that GUID in your https request.
4. NetSuite replaces the GUID with the actual password
d
My case it is stored on a custom record.
No suitelet involved. I've done that before too but not here.
s
If it's stored on a custom record then you already have the plaintext password for direct access... nothing to do but read it and use it?
though that's exactly what that suitelet/credentialField thing is trying to avoid 🙂
d
Typically I will just encrypt the field myself with a UE. I just thought a password field would be better. The N/query and record.load do not work to read the value of the password field.
s
if you encrypt the field 'yourself', where do you store the key?
d
Depends on the solution. Sometimes directly in the code but I've also stored it on the Company General Preferences page as well.
s
therein lies the crux of the problem - just moving a secret elsewhere doesn't make it secure.
d
It does if only an admin has access to it.
b
the encrypt it yourself approach tends to fail if your threat model also includes someone being able to modify your script to log the password
s
As far as I know the only solution offered by NS is that rather obtuse credential field/GUID approach.
b
if that is not an issue, hiding the password is much easier than credential fields
d
So the question turns to why is there a password field option? How do you get that data for use later?
s
it's also a best practice that even admins not be able to read a password plaintext.
d
Yes. Agreed.
s
the password field allows you to indirectly compare passwords via the hash mechanism, but apparently even that is shaky, if they don't update the hash algorithm
d
It's high time someone put together an example solution. The need/want (in general) is the 'best practice' approach to storing credentials in NetSuite using native apis/tools. Both 'setting' and 'getting' those securely stored values.
Might be something to put on my XMas holiday chores
d
I created a credentials manager that uses the UE to encrypt the passwords for us, works really well.
d
Hmm, interesting. No Suitelet involved?
d
No. Not for the password
s
encrypts using a password that is accessible to Admins?
b
although its documentation is old, the SDN Credentials SuiteApp is a tutorial/example of how to use credential guids
d
Nice @battk, I'll have a look.
15 Views
Open in Slack
PreviousNext
Powered by