How to encrypt secret / OAuth tokens in my rails database?

Question

How to encrypt secret / OAuth tokens in my rails database?

I have a Ruby on Rails application (v4.0.1, although I don’t think it is relevant here) works on Ruby 2.0, and I allow OAuth users to provide third-party services to give me access to their data.

I saved the Consumer Key and Consumer Secret app in environment variables that are out of source control.

After the last callback in the OAuth / OAuth2 dance, I have tokens for each of my users that can be used to access their information.

For my login credentials, I use one-way hashing so as not to store their passwords stored in my database in plain text, so I suppose I should do something similar with their tokens, but since I need to use these tokens to access their data, I need to be able to reproduce plain text, so I'm trying to figure out what is the best way to do symmetric encryption.

I plan on storing the encryption key as an environment variable and then use something like https://gist.github.com/nono/2995118 to encrypt tokens. It is safe?

Do people use this https://github.com/reidmorrison/symmetric-encryption gem?

I'm trying to stop myself from reinventing the wheel. Any tips?

+4

ruby ruby-on-rails oauth oauth-2.0 encryption

Cyrus Nov 07 '13 at 23:59

source share

2 answers

django-allauth is not an OAuth (2) implementation loafer. Now I look at his socialaccount_socialtoken table, and the tokens are all in clear text. I think you are covered because no one can use tokens if they steal them.

0

Phlip Nov 08 '13 at 0:07

source share

Cyrus · Accepted Answer · 2013-12-05T07:41:23+0000

I ended up using attr_encryptedgem - https://github.com/attr-encrypted/attr_encrypted

and I added my passphrase to my .envfile so that it is not under version control.

Here's how you use it:

attr_encrypted :email, :key => 'a secret key'

How to encrypt secret / OAuth tokens in my rails database?

More articles: