Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to specify key pair in configuration to avoid insecure hardcoded credentials #23

Closed
dahlia opened this issue Jul 4, 2013 · 13 comments

Comments

@dahlia
Copy link

commented Jul 4, 2013

Hi,

First of all I really thank you for this great extension. One thing I look for is the way to specify consumer key and secret key in configuration file. I don’t want to insecurely hardcode credentials in my application code. (It especially matters when you write an open source web application.) Flask-OAuthlib currently takes the key pair out of application context (as Flask-OAuth does), so we cannot read configuration at that time since it couldn’t be loaded yet.

If this issue is invalid and there’s a way to do it, it’s okay to close the issue, but please write docs for the way.

Thanks,
Hong Minhee

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 4, 2013

Let's take an example, the twitter one:

You defined all your configuration in your config file:

OAUTHLIB_TWITTER = dict(
    consumer_key='xBeXxg9lyElUgwZT6AZ0A',
    consumer_secret='aawnSpNTOVuDCjx7HMh6uSXetjNN8zWLpZwCEU4LBrk',
    base_url='https://api.twitter.com/1/',
    request_token_url='https://api.twitter.com/oauth/request_token',
    access_token_url='https://api.twitter.com/oauth/access_token',
    authorize_url='https://api.twitter.com/oauth/authenticate',
)

Now in your app.py:

def create_app():
    app = Flask(__name__)
    # .... load configuration
    oauth = OAuth(app)
    twitter = oauth.remote_app('twitter', **app.config['OAUTHLIB_TWITTER'])

   @twitter.tokengetter
    def load_twitter_token():
        pass
@dahlia

This comment has been minimized.

Copy link
Author

commented Jul 4, 2013

It seems to require application factory pattern, right? Is there another way to inject key pair settings without introducing factory function?

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 4, 2013

@dahlia What are you looking for? Any example on what you prefer?

@dahlia

This comment has been minimized.

Copy link
Author

commented Jul 4, 2013

For example:

oauth = OAuth(app)
twitter = oauth.remote_app(
    'twitter',
    consumer_key_config='TWITTER_CONSUMER_KEY',
    consumer_secret_config='TWITTER_CONSUMER_SECRET',
    base_url='https://api.twitter.com/1/',
    request_token_url='https://api.twitter.com/oauth/request_token',
    access_token_url='https://api.twitter.com/oauth/access_token',
    authorize_url='https://api.twitter.com/oauth/authenticate'
)

and then the key pair is lazily loaded after these two configurations are ready.

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 4, 2013

@dahlia I will take this into consideration. I am currently working on oauth1 provider, and I will look into client later when oauth1 provider is done.

@dahlia

This comment has been minimized.

Copy link
Author

commented Jul 4, 2013

Thanks for your consideration. 😄

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 4, 2013

@dahlia WOW, you are the author of wand. I am using it right now. 😄

@dahlia

This comment has been minimized.

Copy link
Author

commented Jul 4, 2013

@lepture 👍

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 5, 2013

@dahlia I am going to do it this way:

oauth = OAuth()
twitter = oauth.remote_app('twitter', app_key='OAUTHLIB_TWITTER')
# OAUTHLIB_TWITTER in config is a dict contains all information

@lepture lepture closed this in 7cf80f9 Jul 5, 2013

lepture added a commit that referenced this issue Jul 5, 2013

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 5, 2013

@dahlia

This comment has been minimized.

Copy link
Author

commented Jul 5, 2013

Really thank you! 👍

@lepture

This comment has been minimized.

Copy link
Owner

commented Jul 10, 2013

@dahlia 0.3.0 is out, you can use this version now.

@kanghyojun

This comment has been minimized.

Copy link

commented Jul 10, 2013

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.