存储第三方服务的密码
[英]Storing Passwords for Third Party Services
问题描述
My application is ruby-on-rails, but I expect any answers to this question will probably be framework agnostic. 
我的应用程序是ruby-on-rails,但是我希望这个问题的任何答案都可能与框架无关。
My application sends emails via gmail SMTP using rails ActionMailers a-la: 我的应用程序使用Rails ActionMailers a-la通过gmail SMTP发送电子邮件:
mail = MyActionMailerSubclass.setup_email
options = { :address => "smtp.gmail.com",
:port => 587,
:domain => 'mydomain.com',
:user_name => 'myuser@mydomain.com',
:password => 's3cur3p@s$w0rd',
:authentication => 'plain',
:enable_starttls_auto => true }
mail.delivery_method :smtp, options
mail.deliver
Ok, that's great...there's my password for gmail in plain text in the application code. 好的,那太好了……在应用程序代码中,我的gmail密码是纯文本格式。 Or I could store it in the database in plain text. 或者,我可以将其以纯文本格式存储在数据库中。 Obviously both are unacceptable. 显然两者都不可接受。
Salting and hashing, the usual technique wont work here because I need to send the password along to gmail. 撒盐和哈希处理,通常的技术在这里行不通,因为我需要将密码发送到gmail。
So, what strategies are there for securing a password for a third party service? 那么,有什么策略可以保护第三方服务的密码?
Ultimately that user name and password wont even belong to me, they will belong to the application end-user. 最终,用户名和密码甚至都不属于我,它们将属于应用程序最终用户。
2 个解决方案
解决方案1
4 2010-11-29 03:05:47
Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. Gmail的SMTP服务器支持两种身份验证机制:PLAIN和XOAUTH。 The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those. PLAIN机制要求您知道用户的纯文本密码,很高兴您不准备存储这些密码。
Take a look at the OAuth protocol as used by Gmail. 查看Gmail使用的OAuth协议。 I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. 我从未使用过它,只是发现Gmail支持SMTP,所以我无济于事,但是我想这正是您想要的。 OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password. OAuth是一种服务(例如Gmail)允许第三方服务(例如您的服务)代表用户执行一组有限操作的方式,而无需使用其密码登录。
解决方案2
0 2010-11-29 03:01:32
If the application is private then this should be of no concern, but I'm guessing it's for a public / open-source application. 如果该应用程序是私有的,那么这应该无关紧要,但是我猜它是针对公共/开源应用程序的。
If that is the case, then add a basic example of that file as config/initializers/mail.rb.example and add the real thing to your .gitignore file so that it's never committed. 如果是这种情况,请将该文件的基本示例添加为config / initializers / mail.rb.example并将真实内容添加到您的.gitignore文件中,以使其永远不会提交。 After that, add instructions to the README that people will need to copy over the mail.rb.example file to mail.rb in order for the application to work as intended. 之后,向自述文件中添加说明,人们需要将其复制到mail.rb.example文件中,以复制到mail.rb ,以使应用程序按预期工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.