Uses the Fernet algorithm in the cryptography package to encrypt the access and refresh tokens before storing to the database.
Requires a secret key. Currently, this can be created with a custom Flask command: flask create-secret-key plus the path to a key file. I'm not sure this is the best place to put that logic, since it currently requires the Flask app container to be running, and if this key isn't present, the encryption process won't work.
It required a change to the database model, so I had to wipe out the existing postgres db. FWIW, that was a confusing process: running db.drop_all() deleted the old tables, but then db.create_all() wouldn't recreate them. I finally had to drop and recreate the database itself via psql. I'm still not sure why it didn't work just to use db.drop_all followed by db.create_all.
I haven't updated the README yet, since I'm not certain about the placement of the function to create the Fernet key.
An additional consideration: handling the encryption in the Flask app means that the tokens will also need to be retrieved by the Flask app (or by another app that has access to the Fernet key). From what I've read, that seems to be the more secure approach (as opposed to letting the database handle the encryption/decryption).
See the
t16-encrypt-tokens
branch.cryptography
package to encrypt the access and refresh tokens before storing to the database.flask create-secret-key
plus the path to a key file. I'm not sure this is the best place to put that logic, since it currently requires the Flask app container to be running, and if this key isn't present, the encryption process won't work.db.drop_all()
deleted the old tables, but thendb.create_all()
wouldn't recreate them. I finally had to drop and recreate the database itself viapsql
. I'm still not sure why it didn't work just to usedb.drop_all
followed bydb.create_all
.