github1s icon indicating copy to clipboard operation
github1s copied to clipboard

Published 20 hours ago verified publisher icon conwnet

Protect Oauth token with password

Open gragib opened this issue 4 years ago • 3 comments

In a scenario where the app is hosted on a shared domain, any app in that domain can read the IndexedDB database. E.g. GitHub Pages on GitHub Enterprise.

The Oauth token should be protected with a password. The webapp should ask for the password on every reload if an Oauth token is saved in IndexedDB.

gragib avatar Feb 14 '21 21:02 gragib

Do you mean ask the password every time they refresh/visit the app?

If yes, how would you save the token itself? Do you plan to use symmetric encryption to encrypt the token and save it in the browser? If yes, how would you treat the secret key?

xcv58 avatar Feb 15 '21 07:02 xcv58

Yes. Here's what I have in mind:

  1. Ask for the password on every start if an Oauth token is stored in IndexedDB, or if user is saving a new Oauth token.
  2. The password can be used to derive a key using, say, pbkdf2, and this key can be used to encrypt/decrypt the Oauth token.
  3. The encrypted Oauth token is saved in IndexedDB.
  4. Every time the application is started, ask for the password, derive the key, read the encrypted token from IndexedDB and keep the decrypted token in memory never commit the decrypted token to disk.

gragib avatar Feb 15 '21 15:02 gragib

I don't think asking passphrase on every visit/refresh is a proper user experience. We should consider alternative ways to protect the local token.

xcv58 avatar Feb 15 '21 19:02 xcv58