Securing OAUTH secrets
11 views
Skip to first unread message
bdeter
Jul 28, 2010, 7:25:01 PM7/28/10
to Grackle Development
This is not strictly a Grackle question, but I'm using it and finally
getting around to switching to OAUTH, so I thought I'd start here.
I've got a single-user OAUTH scenario - I use my own account to make
various Twitter API calls so don't need to store user's OAUTH
information (yet). I'm using Sinatra with no database. I'm wondering
what is the best way (or an adequate) way to protect my application
OAUTH secrets - the consumer secret and token secret. I don't like the
idea of all four pieces sitting there in my .rb file and Twitter
recommends against that.
I've thought about setting them as environment variables in my Apache/
Passenger configuration or storing them in a read-only file on the
server. At least that way they wouldn't be checked into Github (it's a
private repo, but still...). Any other ideas?
Is there any point to encrypting them since I need two-way and if
someone gets access to the server, they'll have everything they need
to decrypt anyway?
Mostly unrelated, but in testing, I noticed that I can leave blank or
put in any value for 3 of the 4 OAUTH parameters. As long as the token
secret is right, Twitter accepts it. Anyone else experience that?
Thanks!
Brian
getting around to switching to OAUTH, so I thought I'd start here.
I've got a single-user OAUTH scenario - I use my own account to make
various Twitter API calls so don't need to store user's OAUTH
information (yet). I'm using Sinatra with no database. I'm wondering
what is the best way (or an adequate) way to protect my application
OAUTH secrets - the consumer secret and token secret. I don't like the
idea of all four pieces sitting there in my .rb file and Twitter
recommends against that.
I've thought about setting them as environment variables in my Apache/
Passenger configuration or storing them in a read-only file on the
server. At least that way they wouldn't be checked into Github (it's a
private repo, but still...). Any other ideas?
Is there any point to encrypting them since I need two-way and if
someone gets access to the server, they'll have everything they need
to decrypt anyway?
Mostly unrelated, but in testing, I noticed that I can leave blank or
put in any value for 3 of the 4 OAUTH parameters. As long as the token
secret is right, Twitter accepts it. Anyone else experience that?
Thanks!
Brian
Hayes Davis
Aug 1, 2010, 1:24:23 AM8/1/10
to grac...@googlegroups.com
Brian,
I just store these in a separate yml config file. I would treat them with the level of concern you'd give to the passwords in a rails database.yml. Personally, I think additional encryption is overkill. If someone is in your server reading your config files, you've already got quite some issues to deal with above and beyond your Twitter OAuth credentials being exposed : )
Hayes
bdeter
Aug 1, 2010, 2:59:54 PM8/1/10
to Grackle Development
Thanks. That's about what I thought but wanted to be sure I wasn't
missing some best practice.
Brian
missing some best practice.
Brian
Reply all
Reply to author
Forward
0 new messages