存储密码外部的API - 最佳实践 [英] Storing Passwords for External APIs - Best Practice
问题描述
如果我建立了访问一些比如从Gmail中,Twitter和Facebook的数据的应用程序,我希望用户能够只需要输入一次认证信息,而且它经过一些天或数周,复位什么为做到这一点的最好方法,动态,在Ruby中?
If I built an application that accessed some of the data from say Gmail, Twitter and Facebook, and I want the user to be able to only have to enter their authentication info once, and it's reset after some days or weeks, what is the best way to do this, dynamically, in Ruby?
我看到很多人只是有他们的客户/用户的凭据,像这样的配置文件:
I see a lot of people just having a config file of their clients'/users' credentials like so:
gmail_account:
username: myClient
password: myClientsPassword
这似乎是一个),喜欢它的很没有安全感,和b)如果我想保存这种向数以千计的用户信息,这是行不通的。什么是做到这一点的推荐的方法?
This seems a) like it's very insecure, and b) it wouldn't work if I wanted to store this kind of information for thousands of users. What is the recommended way to do this?
我希望能够建立在这些服务之上的接口,所以不必输入凭据的用户进行的交易是不可行的每一次。
I would like to be able to build an interface on top of these services, so having to enter credentials every time the user made a transaction isn't feasible.
推荐答案
如果你comforatable与潜在责任当黑客进入你的数据库/文件系统,然后去了。而且平心而论,你也应该透露给你的用户,他们的密码会被存储在系统中,让他们决定,如果他们想给你的程序信任级别。
If you're comforatable with the potential liability when a hacker gets into your database / filesystem, then go for it. And in all fairness, you should also disclose to your users that their passwords will be stored on your system, and let them decide if they want to give your program that level of trust.
但是,为什么摆在首位做到这一点? Facebook连接和Twitter&安培;谷歌使用OAuth没有必要为你保存用户密码的。在某些时候,一个用户的cookie将到期(或他们会尝试从另一台计算机访问您的网站),他们将不得不重新验证。你不能prevent重认证 - 相反,你应该让容易为最终用户处理尽可能
But why do this in the first place? Facebook Connect and Twitter & Google using OAuth there's no need for you to store user passwords at all. At some point a user's cookies will expire (or they'll try to access your site from another computer) and they'll have to re-authenticate. You can't prevent re-authentication - instead, you should make it as easy for the end user to handle as possible.
这篇关于存储密码外部的API - 最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
