+ Start a Discussion
GoForceGoGoForceGo 

Heroku Integration - Will this be secure? Alternatives?

Since salesforce.com does not have native Excel processing libraries, a part of my app that processes Excel will be hosted on Heroku.
These Excels are typically loaded into the system by Guest (Sites) users without a username/password, so they don't have a secure session Id associated with them.

Currently I am thinking that admin user will login and schedule an apex job into which inject a session id of the admin login . This session id would be sent via https/ssl to Heroku Excel processer. The Heroku Excel processor which would use the session id for call back to salesforce (to grab the Excel and process data in it). The Heroku app would be stateless - it  would not store anything inside database on the Heroku end - essentially it would grab excel from salesforce, process them, and put data back in salesforce.com. It would be single multi-threaded single instance of Heroku app would serve all my salesforce customers.

I am worried that session would be a long living session - it could be months, creating a risk for session highjacking.

Any other alternatives I should consider? OAuth? Seems like I would have to Oauth tokens on Heroku side in db.







 

Hargobind_SinghHargobind_Singh
Hi, There are actually a few things to think about, when you start considering security. And, it would not be security only, it could also be someone trying to hijack the system by overloading it with excel files using some automatic script that runs on the browser. 

Here are some pointers on top of my mind right now:
  • Look for all possibilities to have the upload behind a login, this would save you quite a few hassles in managing the session IDs etc. If not, be sure that you have some captcha to avoid robots trying to upload the files 
  • Its a good approach to use Heroku to do the excel processing. You can authenticate using OAuth, but you would definitely need to keep the token secure in Heroku, yes, it would be stored somewhere and that db  needs to be secured.
  • You should talk to the app provider (for excel processing) to see if they keep these files in cache somewhere, if they do, when does the cache gets emptied and what are the chances of a file being there forever 
  • Your Apex callout code should have capability of retrying failed processing files 


Overall, I have used Heroku in a few apps, and got it security approved from salesforce as well, as long as you are taking care of securely storing the tokens, and not accessing APIs without authentication, you should be good to go ! 

Hope this helps !!