Pages

Friday, June 3, 2016

Learning Meteor.js [Part 27]: Beware of Accounts packages storing OAuth secrets in the database

So far I have been really happy with meteor's Accounts system but one point that surprised me is that it stored the OAuth client secret in the database.

This is really strange because I already have to keep the secrets in an environment variable of my hosting provider (in this case Heroku), so why does it need to store them in the database as well? I don't know. If you follow my last post and use the ServiceConfiguration package to set the secret you will see that the secret is now in your instance of mongodb:

I don't like this for two reasons:

  1. Secrets are now in two places, in the deployment settings and the database. The preference is to keep exposure of these things to a single point. In other words, now there are two places where this information might get leaked.
  2. In my experience there is less personnel that have access to the deployment settings than database access. For example, sometimes business users get database access to inspect sale data and now they also get to see the client secret.
As I said, I don't know what was the reasoning behind this decision or if it is possible to still use Accounts without storing the secrets in the database. If it is, it is certainly not advertised.

at

1 comment:

  1. AnonymousAugust 5, 2016 at 11:53 AM

    made the same experience - in my case, it came from the configuration itself: the shift into the heroku live environment includes this data , if it was configured in your dev environment.
    Solution? Try and delete them... ? Well, I have not done this yet. But if you can write to this table in prod, then you can perhaps set up this weibo (one which is irrelevant to you) then update the env variable, then delete the weibo entry in prod and see how that comes...

    ReplyDelete

Note: Only a member of this blog may post a comment.