Publishing profiles should not be stored in appsettings.json

[gabog]

Describe the bug

Publishing profiles contain unencrypted secrets, appsettings.json is normally checked into source control and should not contain sensitive information.

Version

Version: 1.4.0-nightly.237504.97571e0 Electron: 8.2.4 Chrome: 80.0.3987.165 NodeJS: 12.13.0 V8: 8.0.426.27-electron.0

To Reproduce

Steps to reproduce the behavior:

1. Create a publishing profile in composer
2. Open appsettings.json and see your bot password and other secrets there

Expected behavior

Publishing profiles should not be stored in appsettings.json

Additional context

appsettings.json is normally not in gitignore and it is used by developers to share common configuration settings (excluding secrets)

[cwhitten]

Known issue. The decision was to punt until we take on the KeyVault worksteam, something not funded in Cobalt.

[GeoffCoxMSFT]

Moving out of R13 and putting on project board in the R14 backlog to consider.

[snapfisher]

I'd like to just bring this to attention, as I was inundated with "problems with secrets in repositories" from our secrets police and a lot of them were that I just stored my bot composer projects as is. We should rectify this, since if it's not good enough for our internal policies, it should not be good enough for our customers, either.

[jacksbox]

I'm wondering if this will be worked on soon? In my company we have to get fancy on githooks and file parsing, just to make sure none of our sensitive (microsoft and others) credentials end up in github / bitbucket. Normally all dev solutions bring some way to omit this, be it env vars, key vaults, or whatever - in an age where digital security is a real issue and threat, this is kinda must have I would say!