search

OpenEnergyPlatform / academy

The Open Energy Academy is a collection of courses, tutorials, and questions for the Open Energy Family
https://openenergyplatform.github.io/academy/
GNU Affero General Public License v3.0
17 stars 7 forks source link

No secure handling of token for API yet #62

Closed Ludee closed 4 years ago

Ludee commented 7 years ago

A token is used for the API.

How do we handle/store the token in a secure way? We definitely should not hard code it in our python scripts and push it to GitHub. A small search gives us this options. Feel free to add other or comment:

nesnoj commented 7 years ago

I prefer the keyring solution since it has been used in other repos too.. I propose to conform the DB access via API in ego.io. (see also: https://github.com/openego/ego.io/issues/16)

gnn commented 7 years ago

@nesnoj: when you say conform, you mean standardize, right? Concerning the question: since tokens are issued on a per user basis, each user can make his own choice of how to access it from his scripts using the API. When it comes to providing infrastructure on how to store it in code that is intended to use the API, IMHO the choice depends on the package providing the infrastructure. For oemof.db I would put a suggestion in the documentation to put the token, the path to the file containing the token or the service/username pair under which the token is stored in the keyring into the configuration file. For ego.io it looks like going with keyring is a good option if keyring is used by the package anyway. Just one thing: always provide a way to explicitly pass the key to functions using the API. That way the user has the choice of using the default way you want him to use, or he can use the way he prefers, like e.g. just reading it from a text file.

nesnoj commented 7 years ago

Yea, sorry for the bad word choice.. I fully agree!

EdithaK commented 6 years ago

@all: I have put the Q of Ludee and the answer of gnn to the FAQ-collection (GitHub-Wiki). Hope you all agree on the answer. @Ludee: If there is still anhancement required: please develop concret ToDo from this an assing it to a future MS

christian-rli commented 5 years ago

"Establish and enforce guidelines for Token security." - User Feedback RequirementSpecificationID=33

Bachibouzouk commented 5 years ago

@wingechr , @MGlauer - is a branch underway to tackle this issue? Or could I assign it to myself?

Ludee commented 5 years ago

Please go ahead @Bachibouzouk