Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No secure handling of token for API yet #62

Closed
Ludee opened this issue Aug 17, 2017 · 7 comments
Closed

No secure handling of token for API yet #62

Ludee opened this issue Aug 17, 2017 · 7 comments
Assignees

Comments

@Ludee
Copy link
Member

Ludee commented Aug 17, 2017

A token is used for the API.

How do we handle/store the token in a secure way? We definitely should not hard code it in our python scripts and push it to GitHub.
A small search gives us this options. Feel free to add other or comment:

@nesnoj
Copy link

nesnoj commented Aug 18, 2017

I prefer the keyring solution since it has been used in other repos too..
I propose to conform the DB access via API in ego.io.
(see also: openego/ego.io#16)

@gnn
Copy link

gnn commented Aug 21, 2017

@nesnoj: when you say conform, you mean standardize, right?
Concerning the question: since tokens are issued on a per user basis, each user can make his own choice of how to access it from his scripts using the API.
When it comes to providing infrastructure on how to store it in code that is intended to use the API, IMHO the choice depends on the package providing the infrastructure. For oemof.db I would put a suggestion in the documentation to put the token, the path to the file containing the token or the service/username pair under which the token is stored in the keyring into the configuration file. For ego.io it looks like going with keyring is a good option if keyring is used by the package anyway.
Just one thing: always provide a way to explicitly pass the key to functions using the API. That way the user has the choice of using the default way you want him to use, or he can use the way he prefers, like e.g. just reading it from a text file.

@nesnoj
Copy link

nesnoj commented Aug 22, 2017

Yea, sorry for the bad word choice..
I fully agree!

@EdithaK
Copy link

EdithaK commented Oct 25, 2017

@ALL: I have put the Q of Ludee and the answer of gnn to the FAQ-collection (GitHub-Wiki). Hope you all agree on the answer.
@Ludee: If there is still anhancement required: please develop concret ToDo from this an assing it to a future MS

@christian-rli
Copy link
Contributor

"Establish and enforce guidelines for Token security." - User Feedback
RequirementSpecificationID=33

@christian-rli christian-rli assigned wingechr and MGlauer and unassigned Ludee Jan 28, 2019
@Bachibouzouk Bachibouzouk changed the title Token for API No secure handling of token for API yet Aug 22, 2019
@Bachibouzouk
Copy link
Contributor

@wingechr , @MGlauer - is a branch underway to tackle this issue? Or could I assign it to myself?

@Ludee
Copy link
Member Author

Ludee commented Aug 26, 2019

Please go ahead @Bachibouzouk

@Bachibouzouk Bachibouzouk transferred this issue from OpenEnergyPlatform/oeplatform Aug 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants