this post was submitted on 02 Aug 2023
9 points (100.0% liked)

Ask Experienced Devs

1235 readers
1 users here now

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Hi, by now it seems to be common knowledge that passwords shouldn't be stored in a database. Backend devs generally know to hash and salt and what-not their transmitted passwords. It seems to be well documented.

However, I wasn't exactly able to find such a clear answer for client applications accessing e.g. web APIs. For example, lets assume you were to create a Lemmy desktop application with support for multiple accounts. Ideally, that software would work like a password manager and store its master password as hash only.

However(2), sometimes users like to start said application without entering their password. Like an Email client in pleb mode. Which requires the passwords to be stored somewhere. In this case, what is the best course of action?

all 15 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (3 children)

Ideally you should use the help from the OS. For example if you target Apple they provide this keychain API made for that.

https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_keychain

But looking I found this apparently portable lib https://github.com/hrantzsch/keychain

Windows and Linux do not appear to provide as much security as macOS but this lib appear to do its best.

[–] [email protected] 5 points 1 year ago (1 children)

For Linux there's gnome keyring.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Windows credential manager is also an option baked into the OS, though I don't have experience working with it to say how good or bad it is

[–] [email protected] 1 points 1 year ago

https://code.visualstudio.com/docs/editor/settings-sync#_troubleshooting-keychain-issues

This shows how MS Visual Code stores the password in keychain in various OSes.

[–] [email protected] 5 points 1 year ago (1 children)

I think most applications store it in plain text, but makes sure the file is only readable by the current user. This way, we rely on the protection of the OS, instead of doing it ourselves. (I'm not a desktop app developer, so I might be completely wrong, but I think this is what e.g. Firefox does).

[–] [email protected] 7 points 1 year ago

Yeah it's not too rare to store passwords in config files (e.g ~/.config/appname/config.json) usually at least base64 encoded to support special characters. It is usually better to try and store a token instead as they can be revoked or expired. If you have to store a password it might be fun to look into storing it in the system keychain, at least for macos or Linux, not sure if Windows has a keychain.

[–] [email protected] 5 points 1 year ago

As far as I know, the correct way of handling authentication for a desktop applications is using OAuth and "Authentication Code with PKCE" flow. This way, you won't have to store the password at all.

But Lemmy doesn't support OAuth as of now. So, if you want users to be able to use the application without entering credentials, you will have two options:

  1. Store the password under current user
  2. Store the token you receive after the login (the token doesn't expire)

Lemmy may decide to expire tokens in the future (that's the correct thing to do, in my opinion).

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Pretty much every OS has some solution to this called a keyring, e.g.:

These can be used to basically delegate that job to somebody else. They typically work by protecting the keyring contents with the user's system credentials.

[–] [email protected] 1 points 1 year ago
[–] [email protected] 2 points 1 year ago (1 children)

You can password-protect a SQLite database, although you'd have to store the password within the app which raises other issues.

[–] [email protected] 1 points 1 year ago

Yes, every approach seems to be limited in that an attacker could steal the password or token indirectly. So the safest bet is probably making storing passwords opt-in for each user.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

You deskktop app could login to Lemmy via the web app and store the login cookie as it's token for future access. This security is effectively on-par with the existing web app in terms of what happens if the machine falls into bad hands.

But the same thing via an API would be preferred.

The idea that you can login to a website and get a cookie that last 3 weeks may feel absurd, but when you think about clients keeping unencrypted passwords it sort of makes it more appealing comparitively. Especially if you can lock down the cookie to the hardware to prevent theft somehow.