Securely storing user tokens for a Bluesky scheduler app

[paulbgtr]

Hi Bluesky team and fellow developers!

I'm building a post scheduler for Bluesky as my hobby project, and I've run into a bit of a dilemma regarding secure token storage. I'd love to get some guidance from the experts here.

My project

I'm creating a simple web app that allows Bluesky users to schedule their posts. The app needs to publish posts on behalf of users at predetermined times, even when they're not actively using the app.

The challenge

To post on behalf of users, I need to access their ATP session server-side. Currently, I'm storing the entire session, including both the refresh and access tokens, in my database, but I'm not entirely comfortable with this approach from a security standpoint. I've also considered storing only the refresh token encrypted, but I'm still unsure about the security implications of that.

Questions

1. What's the recommended way to handle token storage for scheduled posts?
2. Is it okay to store refresh tokens? If so, what precautions should I take?
3. Do you have any other recommendations for implementing this kind of functionality securely?

Current approach

Right now, I'm storing the tokens in my database. I refresh the access token as needed using the stored refresh token.

I'd really appreciate any insights, best practices, or recommendations you could share. This is a hobby project, so I'm aiming for a good balance between security and simplicity of implementation.

Thanks in advance for your help!