为外部 API 存储密码 - 最佳实践 [英] Storing Passwords for External APIs - Best Practice
问题描述
如果我构建了一个应用程序,它可以访问来自 Gmail、Twitter 和 Facebook 的一些数据,并且我希望用户只需输入一次他们的身份验证信息,并且在几天或几周后重置,那该怎么办?在 Ruby 中动态执行此操作的最佳方法是什么?
If I built an application that accessed some of the data from say Gmail, Twitter and Facebook, and I want the user to be able to only have to enter their authentication info once, and it's reset after some days or weeks, what is the best way to do this, dynamically, in Ruby?
我看到很多人只是拥有他们客户/用户凭据的配置文件,如下所示:
I see a lot of people just having a config file of their clients'/users' credentials like so:
gmail_account:
username: myClient
password: myClientsPassword
这似乎 a) 非常不安全,并且 b) 如果我想为成千上万的用户存储此类信息,它就行不通.推荐的方法是什么?
This seems a) like it's very insecure, and b) it wouldn't work if I wanted to store this kind of information for thousands of users. What is the recommended way to do this?
我希望能够在这些服务之上构建一个界面,因此每次用户进行交易时都必须输入凭据是不可行的.
I would like to be able to build an interface on top of these services, so having to enter credentials every time the user made a transaction isn't feasible.
推荐答案
如果您对黑客进入您的数据库/文件系统时的潜在责任感到满意,那么就去做吧.平心而论,您还应该向您的用户披露他们的密码将存储在您的系统中,并让他们决定是否要给予您的程序这种信任级别.
If you're comforatable with the potential liability when a hacker gets into your database / filesystem, then go for it. And in all fairness, you should also disclose to your users that their passwords will be stored on your system, and let them decide if they want to give your program that level of trust.
但是为什么要这样做呢?Facebook Connect 和 Twitter &Google 使用 OAuth,您根本不需要存储用户密码.在某些时候,用户的 cookie 会过期(或者他们会尝试从另一台计算机访问您的站点),并且他们必须重新进行身份验证.您无法阻止重新验证 - 相反,您应该让最终用户尽可能轻松地处理.
But why do this in the first place? Facebook Connect and Twitter & Google using OAuth there's no need for you to store user passwords at all. At some point a user's cookies will expire (or they'll try to access your site from another computer) and they'll have to re-authenticate. You can't prevent re-authentication - instead, you should make it as easy for the end user to handle as possible.
这篇关于为外部 API 存储密码 - 最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
