Database |> Language |> 

Sensitive Values

Contents

• Definition
  • Providing the secrets callback URL
    • Providing secrets callback URL in connection URI
    • Providing secrets callback URL in arguments
  • Declaring a sensitive value
  • Providing sensitive value
    • Request for sensitive value
    • Response with sensitive value
• Example

Definition

When writing LSD SQL to enter sensitive values like passwords, you may prefer to only have their actual values arise during evaluation and not stored in the code itself. For these scenarios, we offer a 2-leg flow for facilitating sensitive values. To mark a value as being one that’s sensitive, prefix it with a dollar sign $ like you would a variable in SaSS.

$some_sensitive_value

This may be applicable for scenarios where you need to provide a password value.

|> ENTER INTO password_input $password

Providing the secrets callback URL

This feature is currently only supported through connecting through our postgres compatible database by providing the callback URL in the application_name connection parameter. This can be understood as expressing to LSD SQL how the application should name a sensitive value during evaluation.

Providing secrets callback URL in connection URI

To provide the application_name connection parameter in the connection URI itself (create a new API key from your profile to get one if you don’t already have one), append it as a query parameter following a ? after the other fields. This is in the paramspec section of a connection URI.

postgresql://user:pass@host:5432/dbname?application_name=<your secrets callback URL>

Suppose the secrets callback URL you’re using for a connection was my-company.com/lsd-secrets-callback, then a connection URI for LSD would look like the following:

postgresql://username:<api key>@lsd.so:5432?application_name=my-company.com%2Flsd-secrets-callback

Note: As shown above, while the utility of the application_name is different from its original use in Postgres, it’s still a component of a URI string and needs to be URL escaped.

Providing secrets callback URL in connection arguments

If you are unable to set the application_name parameter in the URI you’re providing to a tool such as an ORM, you may need to provide it in a separate object during connecting. In the case of SQLAlchemy, that would go in a connect_args dictionary argument following the connection URI.

engine = create_engine(
    "postgresql://user:pass@hostname/dbname",
    connect_args={"application_name": "<your secrets callback URL>"},
)

Declaring a sensitive value

In LSD SQL, to declare a value as being sensitive and requiring the value itself to be provided during evaluation, just prefix its identifier with a dollar sign.

|> ENTER INTO otp_input $otp_code

That’s it. No convoluted configuration.

Providing a sensitive value

Request for sensitive value

During evaluation, LSD will fire off a request to the secrets callback URL provided to the application_name connection parameter. It will be a POST request with a JSON body in the schema shown below:

{
  "sensitive_field": "$some_sensitive_value",
  "unique_id": "[hash]"
}

Where the value attributed to the sensitive_field key is the identifier of the sensitive value you defined in the LSD SQL. The value attributed to the unique_id is the unique key you’d use when providing the value to LSD so we are able to correlate the sensitive value given.

Response with sensitive value

To provide the value during evaluation after receiving a request containing a unique_id, make a POST request to our endpoint https://lsd.so/provide-secret with a JSON in the schema shown below. Be sure to include the [hash] value given in the request so we can correctly correlate your sensitive value.

{
  "$some_sensitive_value": "[your value here]",
  "unique_id": "[hash]"
}

This’d use the value in [your value here] for $some_sensitive_value and proceed with evaluating your LSD SQL.

Example

Coming soon.

---

Related: