That is, want a Rails application that lets me see a customized view of the user’s Gmail calendar. But it’ll be on shared hosting so don’t want to store credentials, or have them in the clear.
Question: Can I securely access Gmail for a Rails app on shared hosting non-SSL without putting credentials at risk? How would I do this? (e.g. does OAuth or OpenID solve this)
Requirements would be:
- Rails application will call Google Calendar via API
- No credentials stored on shared hosting site (e.g. in database or whatever) – MANDATORY
- Rails site is non-SSL – MANDATORY (for the purpose of this question)
- Ability to stay logged in whilst browser still open – DESIREABLE (assume using session id…assuming this is secure)
For example exiting approach I’ve used which wouldn’t satisfy my requirements on my non-SSL rails site (on a shared host) would be:
# Get Google Calendar
service = GCal4Ruby::Service.new
service.authenticate("<google account name>", "<password>") # <== requires password
cal = GCal4Ruby::Calendar.find(service, "myCalendar")[0]
# Get Google Events
search_str = "<search str>"
@events = GCal4Ruby::Event.find(cal, search_str, params)
You will get mixed content if you try to include in an
httppage anhttpsGoogle calendar view loaded as aniframe.If you’re just doing API calls, as long as the API calls are from your server to an encrypted endpoint,
https://calendar.google.comor something similar, then there are no problems.If you’re doing API calls from a non-
httppage in the browser, then a determined attacker will be able to eavesdrop on any data you serve, including credentials sent to the browser for forwarding to the calendar service.If you’re sending credentials to the browser you should also worry about exfiltration via XSS.