Should I use DocumentClient (CosmosDB) directly in a desktop client

Question

It seems if I use a DocumentClient directly in a desktop app it is exposing a security issue relating to the api key used in constructing the Doucument Client. There doesn't seem to be a way of securing the key. Bringing the key into the client could lead to a hacker having full control over the database. It appears to me that the only way is to put the DocumentClient behind a Web Api or cloud Function.

So am I correct in saying never use DocumentClient in the client if you can't secure access to the app?

Answer 1

Having the DocumentClient directly accessible means that the customer has access to the key. You can utilize obfuscation to try to hide it but it's very easy to actually just monitor the traffic of the app and capture the key or even dump it as a string from the memory during runtime, when it's unencrypted. You could use resource tokens but again, this is too much of a risk.

What you really want is to have your desktop client talk to an API with it's own auth that will talk to CosmosDB itself.

Answer 2

Since you have already access to an Azure Subscription you could also store the api key in the Azure Key Vault, which is a service specially for storing secrets.

So the client will request the api key from the key vault. To access the key vault you can authenticate against it using a client certificate as outlined here.