search

mguessan / davmail

DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange and Office 365 Gateway - Synced with main subversion repository at
http://davmail.sourceforge.net
GNU General Public License v2.0
582 stars 86 forks source link

Encrypt Updated Refresh Token? #263

Closed tmcqueen-materials closed 1 year ago

tmcqueen-materials commented 1 year ago

First, thanks for all of your efforts to make davmail, it is an incredibly useful piece of software.

Thank you also for including in commit af760b6f39d90402195931026460041dd3829036 the ability to store updated refresh tokens.

I was in the process of building from source to test this feature out, and noticed that https://github.com/mguessan/davmail/blob/af760b6f39d90402195931026460041dd3829036/src/java/davmail/exchange/auth/O365Token.java#L205 Is different than the line that stores the original refresh token https://github.com/mguessan/davmail/blob/af760b6f39d90402195931026460041dd3829036/src/java/davmail/exchange/auth/O365Token.java#L178

Since the password is available in both places, shouldn't the former also encrypt the refresh token ( Settings.storeRefreshToken(username,encryptToken(localtoken.getRefreshToken(), password)); )? Since the refresh_token is a long-lived secret, it should not be stored in the clear.

Thank again for all you do with this software!

tmcqueen-materials commented 1 year ago

Thanks for making the update that resolves this!