This issue is to track progress on OAuth and other login issues.
Summary:
Basically we support both OAuth login and personal access token, but not user/password login.
This is because the discogs_client python lib supports the former two only.
In practice, OAuth login is disabled per default in the App currently.
The problems:
- Secure storage of tokens:
Due to the lack of a functional Sailfish::Secrets implementation for QML, we can not at this point store either the personal access token, nor the generated OAuth token and secrets securely.
See the store-auth branch in the git repo for attempts to use Sailfish::Secrets.
Current status: only PAK is supported, and ist stored in a local file. File was chosen in favor of DConf because it's a little more secure through encryption (at rest), and through SailJail not just any app can read that, contrary to DConf.
- OAuth secrets:
Due to the lack of secrets handling in OBS, we can not distribute the OAuth Consumer key and secret securely.
So the release builds ships without the consumer keys.
Both personal access token as well as the secrets can be put into the APIConfig javascript file qml/config/api.js by users/developers locally.
Using this method, it can be tested that OAuth authentication actually works just fine, but the result are two tokens, which we again can't store securely as long as 1. above remains.
This issue is to track progress on OAuth and other login issues.
### Summary:
Basically we support both OAuth login and personal access token, but not user/password login.
This is because the `discogs_client` python lib supports the former two only.
In practice, OAuth login is disabled per default in the App currently.
----
### The problems:
1. Secure storage of tokens:
Due to the lack of a functional Sailfish::Secrets implementation for QML, we can not at this point store either the personal access token, nor the generated OAuth token and secrets securely.
See the store-auth branch in the git repo for attempts to use Sailfish::Secrets.
**Current status:** only PAK is supported, and ist stored in a local file. File was chosen in favor of DConf because it's a little more secure through encryption (at rest), and through SailJail not just any app can read that, contrary to DConf.
2. OAuth secrets:
Due to the lack of secrets handling in OBS, we can not distribute the OAuth Consumer key and secret securely.
So the release builds ships without the consumer keys.
Both personal access token as well as the secrets *can* be put into the APIConfig javascript file `qml/config/api.js` by users/developers locally.
Using this method, it can be tested that OAuth authentication actually works just fine, but the result are two tokens, which we again can't store securely as long as 1. above remains.