How do I securely back up my session data files?

[smashah]

session.data.json (or ${sessionId}.data.json) files are basically the key into your host account's WA session. You have to keep this secure and NEVER commit it to any repository. I would go as far as to say you shouldn't even set it as an environmental variable. This is because env vars can be leaked if a bad actor gets access to your machine.

So then the question becomes, how do I save the session data safely? The answer (for now) is to have it be saved in a secure S3-compatible storage bucket and add those bucket details to your configs.

Step 1 - Get S3 Bucket details

You can use other providers for this but for now let's stick with AWS. Use the following instructions to get the necessary details to continue:

https://medium.com/@shamnad.p.s/how-to-create-an-s3-bucket-and-aws-access-key-id-and-secret-access-key-for-accessing-it-5653b6e54337

Note: If you want, you can create a folder in your S3 bucket if you don't want your session data files in the root of your bucket.

You should now have enough details to create a JSON like this:

{
    "provider": "AWS",
    "region": 'us-east-2',
    "bucket": "my-super-secure-session-data-bucket",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "secretAccessKey": "AKIAIOSFODNN7EXAMPLE",
    "directory": "sessiondata" //optional
}

Step 2 - Add the bucket details

The simplest/cleanest way to set up the bucket details is to encode the JSON as base64 string and add that string as the sessionDataBucketAuth property on the config

You can use a service like base64.guru or devUtils to convert a string to base64 or use the code bellow:

For example:

console.log(Buffer.from(JSON.stringify({
    "provider": "AWS",
    "region": 'us-east-2',
    "bucket": "my-super-secure-session-data-bucket",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "secretAccessKey": "AKIAIOSFODNN7EXAMPLE",
    "directory": "sessiondata" //optional
})).toString('base64'))

that will output a string that looks something like this:

eyJwcm92aWRlciI6IkFXUyIsInJlZ2lvbiI6InVzLWVhc3QtMiIsImJ1Y2tldCI6Im15LXN1cGVyLXNlY3VyZS1zZXNzaW9uLWRhdGEtYnVja2V0IiwiYWNjZXNzS2V5SWQiOiJBS0lBSU9TRk9ETk43RVhBTVBMRSIsInNlY3JldEFjY2Vzc0tleSI6IkFLSUFJT1NGT0ROTjdFWEFNUExFIiwiZGlyZWN0b3J5Ijoic2Vzc2lvbmRhdGEifQ==

Then set it in your config:

create({
...
"sessionDataBucketAuth" : "eyJwcm92aWRlciI6IkFXUyIsInJlZ2lvbiI6InVzLWVhc3QtMiIsImJ1Y2tldCI6Im15LXN1cGVyLXNlY3VyZS1zZXNzaW9uLWRhdGEtYnVja2V0IiwiYWNjZXNzS2V5SWQiOiJBS0lBSU9TRk9ETk43RVhBTVBMRSIsInNlY3JldEFjY2Vzc0tleSI6IkFLSUFJT1NGT0ROTjdFWEFNUExFIn0="
})

or if you're using the CLI, use the flag

> npx @open-wa/wa-automate@latest --session-data-bucket-auth="eyJwcm92aWRlciI6IkFXUyIsInJlZ2lvbiI6InVzLWVhc3QtMiIsImJ1Y2tldCI6Im15LXN1cGVyLXNlY3VyZS1zZXNzaW9uLWRhdGEtYnVja2V0IiwiYWNjZXNzS2V5SWQiOiJBS0lBSU9TRk9ETk43RVhBTVBMRSIsInNlY3JldEFjY2Vzc0tleSI6IkFLSUFJT1NGT0ROTjdFWEFNUExFIn0="

or as an environment variable:

> WA_SESSION_DATA_BUCKET_AUTH="eyJwcm92aWRlciI6IkFXUyIsInJlZ2lvbiI6InVzLWVhc3QtMiIsImJ1Y2tldCI6Im15LXN1cGVyLXNlY3VyZS1zZXNzaW9uLWRhdGEtYnVja2V0IiwiYWNjZXNzS2V5SWQiOiJBS0lBSU9TRk9ETk43RVhBTVBMRSIsInNlY3JldEFjY2Vzc0tleSI6IkFLSUFJT1NGT0ROTjdFWEFNUExFIn0=" npx @open-wa/wa-automate@latest --in-docker

note: you need to set --in-docker to tell the process to infer configs from the environmental variables.

Step 3 - Start your session

Now, every time your session starts or is authenticated, the latest version of the session data file will be saved to your S3 bucket.

Step 4 (optional) - Skip saving the session data file locally

Now that your session data is saved securely in a centralized bucket - you no longer need to have a local copy on your machine or in your VMs. Disabling the local saving of session files further improves your security and prevents somebody accessing your machine and stealing your sensitive session data files/credentials.

You can disable the local save of the files by setting skipSessionSave to true in your config, --skip-session-save as a CLI flag, or WA_SKIP_SESSION_SAVE=true as an environmental variable. Now the session data will only be present in the process itself.

Important

Just because you no longer have to worry about individual session files - it doesn't mean the security concern is over. You now have a new problem - how do I keep my sessionDataBucketAuth string secure! Well that depends on many things (e.g where you're hosting your code, open vs closed source, etc.), I suggest just googling how to keep node secrets secure and then going from there.

[smashah]

Answered above.

Please leave feedback on instructions below.

Thanks