stackoom
  简体   繁体   中英

Storing Passwords for Third Party Services

 原文  2010-11-29 02:52:53       ruby-on-rails/ security/ encryption/ ruby-on-rails-3

Question

My application is ruby-on-rails, but I expect any answers to this question will probably be framework agnostic.

My application sends emails via gmail SMTP using rails ActionMailers a-la: 

mail = MyActionMailerSubclass.setup_email

options = { :address          => "smtp.gmail.com",
        :port                 => 587,
        :domain               => 'mydomain.com',
        :user_name            => 'myuser@mydomain.com',
        :password             => 's3cur3p@s$w0rd',
        :authentication       => 'plain',
        :enable_starttls_auto => true  }

mail.delivery_method :smtp, options
mail.deliver

Ok, that's great...there's my password for gmail in plain text in the application code. Or I could store it in the database in plain text. Obviously both are unacceptable.

Salting and hashing, the usual technique wont work here because I need to send the password along to gmail.

So, what strategies are there for securing a password for a third party service?

Ultimately that user name and password wont even belong to me, they will belong to the application end-user.

2 answers

solution1
 4  2010-11-29 03:05:47

Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those.

Take a look at the OAuth protocol as used by Gmail. I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password.

solution2
 0  2010-11-29 03:01:32

If the application is private then this should be of no concern, but I'm guessing it's for a public / open-source application.

If that is the case, then add a basic example of that file as config/initializers/mail.rb.example and add the real thing to your .gitignore file so that it's never committed. After that, add instructions to the README that people will need to copy over the mail.rb.example file to mail.rb in order for the application to work as intended.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to store credentials for third party services in Rails Rails console - reload! third party services in modules Storing passwords in a database Third party service integration Authentication: Custom or Third Party Third party libraries on heroku Architecture to allow third party apps Twitter login on third party website Rails how to store passwords for other services? Rails Include Third Party Javascript Library File
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM