[Labs-l] Storing oauth tokens in a tool account

[Bryan Davis]

On Thu, Feb 2, 2017 at 7:13 PM, Sam Wilson <sam at samwilson.id.au> wrote:
> Hello labradors (that's the collective noun, yes?),
>
> I'm working on a tool http://tools.wmflabs.org/ia-upload/test/ that
> needs to do some time-consuming file processing before uploading the
> result to Commons. To do this, it saves users' oauth access tokens in
> local (non-web-accessible) files and then a separate CLI process comes
> along and uses the tokens to do the upload. Then the token is deleted.
>
> I realise that it's probably not a very good idea to store people's
> credentials like this! Are there any guidelines about how to do this?
> What is the best way? I don't really want to have to ask users to come
> back and do the upload (although, it could email them when their file is
> ready, if tokens shouldn't be stored at all).

I would use a tool specific database table [0] rather than the local
files system mostly to avoid using NFS to save state. Otherwise this
is not a horrible practice. The token that your app receives is only
valid in combination with the app's secret key. You should do anything
you can to prevent it from being leaked to other users of the
application as that would allow them to impersonate the true owner.
Storage in a database table that is owned by your tool and not
readable by other tools or as you are doing in a file if that file is
not world readable are reasonable precautions. Fundamentally you
should treat the user's OAuth token the same way you would treat the
password for a bot account or any other authentication secret.

[0]: https://wikitech.wikimedia.org/wiki/Help:Tool_Labs/Database#User_databases

Bryan
-- 
Bryan Davis              Wikimedia Foundation    <bd808 at wikimedia.org>
[[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
irc: bd808                                        v:415.839.6885 x6855