I’m developing a small webapp in python that’ll interact with a users dropbox account. What is the best way to store the Oauth tokens for that account in a flat file?
Is hashing the tokens secure enough? Or should I encrypt them? If encrypting them is the way to go, how would you suggest storing the key, since 2 way encryption would be necessary to decrypt the tokens for sending to Dropbox?
I could load up sqlite and store the tokens in there, but I’m wondering if there’s a good way to do it using flat files. Same issue is run into with Sqlite, since its also a file. Of course, the file permissions would only be set to the least permissible privilege to be accessed by the webapp.
Hashing won’t work, since, as skjaidev mentions, it’s one way.
If you have a reasonable fear that your file or database will get stolen(*), encryption is the way to go. But indeed as you mention, your app will need the decryption key, so the question is where to store it. Obviously storing it in the same spot as the data, doesn’t enhance security. Please consider the following:
Best is to have your decryption key not on the filesystem at all, but just in the computer memory. A good hacker with root access or physical access may still get to it, but I would argue that in 99% of the cases that hackers get access to the file systems, they won’t be able to read the memory as well (in the cases they steal backups, steal the physical machine (turning it off in the process), get user-level access, etc). This is basically the keychain-approach. Problem is, how to get the decryption key into the memory, and there is only one solution that I know of: type it in (or some other password that decrypts the decryption key) every time the application starts. Whether this is acceptable depends on how often your application will restart.
There is one other method. If you only need access to dropbox when your users are actually logged in to your app, you can consider encrypting the token with some unique user property (or instance the password that the user uses to log in to your site, or some random string you set in a cookie on the first visit). In this case you can also consider storing the whole access token encrypted in a cookie (and not on your server at all).
Whatever method you choose, it will never really protect, as you mention yourself. If your app can get to decrypted tokens (which it can, else your app would not need to store them in the first place), some hacker with unlimited privileged can as well. The nice thing about access tokens is, though, that probably they can be easily revoked, so if they get stolen it’s probably not the end of the world; and a hacker knows they can be easily revoked so they will hardly be interesting as a target.
(*) Note: it’s always reasonable to assume that stuff will get stolen eventually one way or another. I can imagine though that if you set up a small site for 20 friends on your home PC, you care less about your passwords being stolen, than when you’re building the next instagram. It’s always a tradeoff between security and amount of work. As mentioned, having your tokens in a flat file in stead of a database (if handled correctly) should make it less likely that they get stolen.