1
0
Fork
You've already forked cogs
1

Support secure login and storing of credentials #1

Open
opened 2025年05月10日 09:24:14 +02:00 by nephros · 3 comments

This issue is to track progress on OAuth and other login issues.

Summary:

Basically we support both OAuth login and personal access token, but not user/password login.
This is because the discogs_client python lib supports the former two only.

In practice, OAuth login is disabled per default in the App currently.


The problems:

  1. Secure storage of tokens:

Due to the lack of a functional Sailfish::Secrets implementation for QML, we can not at this point store either the personal access token, nor the generated OAuth token and secrets securely.

See the store-auth branch in the git repo for attempts to use Sailfish::Secrets.

Current status: only PAK is supported, and ist stored in a local file. File was chosen in favor of DConf because it's a little more secure through encryption (at rest), and through SailJail not just any app can read that, contrary to DConf.

  1. OAuth secrets:

Due to the lack of secrets handling in OBS, we can not distribute the OAuth Consumer key and secret securely.
So the release builds ships without the consumer keys.

Both personal access token as well as the secrets can be put into the APIConfig javascript file qml/config/api.js by users/developers locally.

Using this method, it can be tested that OAuth authentication actually works just fine, but the result are two tokens, which we again can't store securely as long as 1. above remains.

This issue is to track progress on OAuth and other login issues. ### Summary: Basically we support both OAuth login and personal access token, but not user/password login. This is because the `discogs_client` python lib supports the former two only. In practice, OAuth login is disabled per default in the App currently. ---- ### The problems: 1. Secure storage of tokens: Due to the lack of a functional Sailfish::Secrets implementation for QML, we can not at this point store either the personal access token, nor the generated OAuth token and secrets securely. See the store-auth branch in the git repo for attempts to use Sailfish::Secrets. **Current status:** only PAK is supported, and ist stored in a local file. File was chosen in favor of DConf because it's a little more secure through encryption (at rest), and through SailJail not just any app can read that, contrary to DConf. 2. OAuth secrets: Due to the lack of secrets handling in OBS, we can not distribute the OAuth Consumer key and secret securely. So the release builds ships without the consumer keys. Both personal access token as well as the secrets *can* be put into the APIConfig javascript file `qml/config/api.js` by users/developers locally. Using this method, it can be tested that OAuth authentication actually works just fine, but the result are two tokens, which we again can't store securely as long as 1. above remains.
Author
Owner
Copy link

comment removed and summed up above

*comment removed and summed up above*
Author
Owner
Copy link

... actually we currently store secrets in ~/.local/share/org.nephros.sailfish/Cogs/keys.json

... actually we currently store secrets in `~/.local/share/org.nephros.sailfish/Cogs/keys.json`
nephros added reference store-auth 2025年05月11日 14:30:11 +02:00
Author
Owner
Copy link

Re: OAuth: Due to Cloudflare not accepting our Browser on login.discogs.org, at least on SFOS 5.0 and lower, relying on PAK instead may not be so bad.

Re: OAuth: Due to Cloudflare not accepting our Browser on `login.discogs.org`, at least on SFOS 5.0 and lower, relying on PAK instead may not be so bad.
Sign in to join this conversation.
store-auth
master
qrread
quickfix
obs
cachedb
refactor
discography
collnotes
noimg
advsearch
api
store-wv
wantlist
band
caching
refactor-objfetch
fix-icons
store-auth
0.11.1+git1
0.11.1
0.12.0
0.11.0+git1
0.11.0
0.10.3+git1
0.10.3
0.10.2
0.10.1
0.10.0+git3
0.10.0+git2
0.10.0+git1
0.10.0
0.9.9
0.9.8+git1
0.9.8
0.9.7+git3
0.9.7+git2
0.9.7+git1
0.9.7
0.9.6+git4
0.9.6+git3
0.9.6+git2
0.9.6+git1
0.9.6
0.9.5+git1
0.9.5
0.9.4+git1
0.9.4
0.9.3
0.9.2+git1
0.9.2
0.9.1
0.9.0
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nephros/cogs#1
Reference in a new issue
nephros/cogs
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?