Store user credentials safely

thiago.eec · 08-24-2019, 04:03 PM

Hi, everyone.

I'm using urllib requests to fetch data from a website. The thing is the user needs to be logged in. The method works, but I am concerned about safety.

I don't want to write it to a json file as plain text. How can I securely get user credentials and store it using calibre plugin api?

lumpynose · 08-24-2019, 04:42 PM

If they support it, I'd say use OAuth.

You don't store any credentials; they authenticate on the site and you get the access key which is what's used after they authenticate.

Although I don't know how you'd manage the initial login where you get the OAuth access key, which is what you use thereafter.

thiago.eec · 08-24-2019, 04:47 PM

I can't use OAuth, because the website does not provide an API (their faq says they have one, but haven't disclosed it to the public yet

).

kovidgoyal · 08-24-2019, 10:08 PM

Safely from whom? Whatever technique you use to store the password has to be automatically reversible without input from the user, which means any person or program can reverse it trivially.

thiago.eec · 08-25-2019, 04:03 AM

Hi, Kovid.

I was thinking to use something like keyring lib, which uses the OS to handle the credentials.

kovidgoyal · 08-25-2019, 04:33 AM

You can do so if you like, but personally, i always found keyrings to be security theatre, unless they are set up to ask for confirmation on every access, which almost no one ever does. And note that some systems, especially linux ones may not have a functional keyrin at all, so you will need to have a fallback mechanism in place as well.

thiago.eec · 08-25-2019, 05:16 AM

Good point.

Just one last question: how calibre handles user credentials for recipes? How does it store them?

kovidgoyal · 08-25-2019, 08:17 AM

IIRC, They are just stored in a config file using some simple onfuscation to deter casual snooping.

08-24-2019, 04:03 PM	#1
thiago.eec Guru Posts: 927 Karma: 1177583 Join Date: Dec 2016 Location: Goiânia - Brazil Device: iPad, Kindle Paperwhite	Store user credentials safely Hi, everyone. I'm using urllib requests to fetch data from a website. The thing is the user needs to be logged in. The method works, but I am concerned about safety. I don't want to write it to a json file as plain text. How can I securely get user credentials and store it using calibre plugin api?

08-24-2019, 04:42 PM	#2
lumpynose Wizard Posts: 1,086 Karma: 6719822 Join Date: Jul 2012 Device: Palm Pilot M105	If they support it, I'd say use OAuth. You don't store any credentials; they authenticate on the site and you get the access key which is what's used after they authenticate. Although I don't know how you'd manage the initial login where you get the OAuth access key, which is what you use thereafter. Last edited by lumpynose; 08-24-2019 at 04:45 PM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Store user annotations in the EPUB file	SubjectRob	Reading and Management	1	02-11-2017 01:13 PM
[FALSE] 80,000 Amazon Login Credentials Leaked	geekmaster	Amazon Kindle	21	08-16-2016 10:02 AM
u.s kindle store for international user	Dih	Amazon Kindle	7	06-30-2014 07:41 PM
Google Play store & multi-user support	avantman42	Kindle Fire	11	04-11-2013 08:17 PM
Where does calibre store user preferences	samgandhi9	Calibre	1	08-25-2011 01:27 PM

08-24-2019, 04:47 PM	#3
thiago.eec Guru Posts: 927 Karma: 1177583 Join Date: Dec 2016 Location: Goiânia - Brazil Device: iPad, Kindle Paperwhite	I can't use OAuth, because the website does not provide an API (their faq says they have one, but haven't disclosed it to the public yet ).

08-24-2019, 10:08 PM	#4
kovidgoyal creator of calibre Posts: 43,858 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	Safely from whom? Whatever technique you use to store the password has to be automatically reversible without input from the user, which means any person or program can reverse it trivially.

08-25-2019, 04:03 AM	#5
thiago.eec Guru Posts: 927 Karma: 1177583 Join Date: Dec 2016 Location: Goiânia - Brazil Device: iPad, Kindle Paperwhite	Hi, Kovid. I was thinking to use something like keyring lib, which uses the OS to handle the credentials.

08-25-2019, 04:33 AM	#6
kovidgoyal creator of calibre Posts: 43,858 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	You can do so if you like, but personally, i always found keyrings to be security theatre, unless they are set up to ask for confirmation on every access, which almost no one ever does. And note that some systems, especially linux ones may not have a functional keyrin at all, so you will need to have a fallback mechanism in place as well.

08-25-2019, 05:16 AM	#7
thiago.eec Guru Posts: 927 Karma: 1177583 Join Date: Dec 2016 Location: Goiânia - Brazil Device: iPad, Kindle Paperwhite	Good point. Just one last question: how calibre handles user credentials for recipes? How does it store them?

08-25-2019, 08:17 AM	#8
kovidgoyal creator of calibre Posts: 43,858 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	IIRC, They are just stored in a config file using some simple onfuscation to deter casual snooping.