Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing Passwords for Third Party Services

My application is ruby-on-rails, but I expect any answers to this question will probably be framework agnostic.

My application sends emails via gmail SMTP using rails ActionMailers a-la:

mail = MyActionMailerSubclass.setup_email

options = { :address          => "smtp.gmail.com",
        :port                 => 587,
        :domain               => 'mydomain.com',
        :user_name            => '[email protected]',
        :password             => 's3cur3p@s$w0rd',
        :authentication       => 'plain',
        :enable_starttls_auto => true  }

mail.delivery_method :smtp, options
mail.deliver

Ok, that's great...there's my password for gmail in plain text in the application code. Or I could store it in the database in plain text. Obviously both are unacceptable.

Salting and hashing, the usual technique wont work here because I need to send the password along to gmail.

So, what strategies are there for securing a password for a third party service?

Ultimately that user name and password wont even belong to me, they will belong to the application end-user.

like image 671
SooDesuNe Avatar asked Nov 29 '10 02:11

SooDesuNe


1 Answers

Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those.

Take a look at the OAuth protocol as used by Gmail. I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password.

like image 128
mgiuca Avatar answered Sep 17 '22 23:09

mgiuca