存储第三方服务的密码

时间:2022-05-01 22:58:47

My application is ruby-on-rails, but I expect any answers to this question will probably be framework agnostic.

我的应用程序是ruby-on-rails,但我希望这个问题的任何答案都可能与框架无关。

My application sends emails via gmail SMTP using rails ActionMailers a-la:

我的应用程序使用rails ActionMailers a-la通过gmail SMTP发送电子邮件:

mail = MyActionMailerSubclass.setup_email

options = { :address          => "smtp.gmail.com",
        :port                 => 587,
        :domain               => 'mydomain.com',
        :user_name            => 'myuser@mydomain.com',
        :password             => 's3cur3p@s$w0rd',
        :authentication       => 'plain',
        :enable_starttls_auto => true  }

mail.delivery_method :smtp, options
mail.deliver

Ok, that's great...there's my password for gmail in plain text in the application code. Or I could store it in the database in plain text. Obviously both are unacceptable.

好的,那很好......我的应用程序代码中有纯文本密码。或者我可以用纯文本将其存储在数据库中。显然两者都是不可接受的。

Salting and hashing, the usual technique wont work here because I need to send the password along to gmail.

Salting和hashing,通常的技术不会在这里工作,因为我需要将密码发送到gmail。

So, what strategies are there for securing a password for a third party service?

那么,为第三方服务保护密码有哪些策略?

Ultimately that user name and password wont even belong to me, they will belong to the application end-user.

最终用户名和密码甚至不属于我,它们将属于应用程序最终用户。

2 个解决方案

#1


4  

Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those.

Gmail的SMTP服务器支持两种身份验证机制:PLAIN和XOAUTH。 PLAIN机制要求您知道用户的明文密码,我很高兴您不准备存储这些密码。

Take a look at the OAuth protocol as used by Gmail. I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password.

请查看Gmail使用的OAuth协议。我还没有使用它,我发现Gmail支持SMTP,所以我不能再帮助了,但我会说这正是你想要的。 OAuth是一种服务(例如Gmail)允许第三方服务(例如您的)代表用户执行一组有限操作而无需使用其密码登录的方式。

#2


0  

If the application is private then this should be of no concern, but I'm guessing it's for a public / open-source application.

如果应用程序是私有的,那么这应该是无关紧要的,但我猜这是一个公共/开源应用程序。

If that is the case, then add a basic example of that file as config/initializers/mail.rb.example and add the real thing to your .gitignore file so that it's never committed. After that, add instructions to the README that people will need to copy over the mail.rb.example file to mail.rb in order for the application to work as intended.

如果是这种情况,那么将该文件的基本示例添加为config / initializers / mail.rb.example,并将真实内容添加到.gitignore文件中,以便它永远不会提交。之后,向README添加说明,人们需要通过mail.rb.example文件将其复制到mail.rb,以便应用程序按预期工作。

#1


4  

Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those.

Gmail的SMTP服务器支持两种身份验证机制:PLAIN和XOAUTH。 PLAIN机制要求您知道用户的明文密码,我很高兴您不准备存储这些密码。

Take a look at the OAuth protocol as used by Gmail. I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password.

请查看Gmail使用的OAuth协议。我还没有使用它,我发现Gmail支持SMTP,所以我不能再帮助了,但我会说这正是你想要的。 OAuth是一种服务(例如Gmail)允许第三方服务(例如您的)代表用户执行一组有限操作而无需使用其密码登录的方式。

#2


0  

If the application is private then this should be of no concern, but I'm guessing it's for a public / open-source application.

如果应用程序是私有的,那么这应该是无关紧要的,但我猜这是一个公共/开源应用程序。

If that is the case, then add a basic example of that file as config/initializers/mail.rb.example and add the real thing to your .gitignore file so that it's never committed. After that, add instructions to the README that people will need to copy over the mail.rb.example file to mail.rb in order for the application to work as intended.

如果是这种情况,那么将该文件的基本示例添加为config / initializers / mail.rb.example,并将真实内容添加到.gitignore文件中,以便它永远不会提交。之后,向README添加说明,人们需要通过mail.rb.example文件将其复制到mail.rb,以便应用程序按预期工作。