Use oauth instead of API key

wesselt / bunq2ynab

Upload bunq transactions to ynab

Other

72 stars 18 forks source link

Use oauth instead of API key #25

Closed wesselt closed 10 months ago

wesselt commented 3 years ago

Both bunq and ynab offer oauth
Not sure if oauth tokens are permanent or just for a number of days
A bunq oauth tokens comes with limited rights compared to an API key. For example, an oauth token can't be used to transfer money outside of your account. Not sure if it can be used to read your credit cards.

jakob11git commented 3 years ago

Not sure if oauth tokens are permanent or just for a number of days

MoneyMoney (macOS app) uses OAuth to interact with the bunq API. I have never needed to re-authenticate after initial setup. No idea about YNAB.

anubhavcodes commented 3 years ago

Hi @wesselt first of all, thank you for creating this project. I have been using Bunq for the last year and a half, and I would like to give it a try for the last time by using it's API before finally making a decision on whether I want to continue with them or not ( the new update was not that great for me).

I have comfortable with python and I would be very happy to help you with this project if you need any help. I am very happy to discuss more about this.

Regarding this issue, the oauth tokens are refreshed automatically by the bunq oauth server and we don't need to handle that. The underlying python oauth library should handle that for us. ;)

I look forward for your comments regarding this project and your plans for this repo.

wesselt commented 3 years ago

Hi @anubhavcodes, I've done oauth on a different project, but without a library. Which Python oauth library are you referring too?

Another problem with OAuth is that the client credentials should be stored somewhere.

anubhavcodes commented 3 years ago

I worked on a flask application before and this was super helpful. Made my life so much easier.

Edit: Regarding the credentials, I usually always used either an encrypted storage or environment secrets that can be injected in production environment during runtime. I think I used Heroku Vault but don't remember exactly right now.

mvgijssel commented 10 months ago

Thanks for this sweet tool! While working on https://github.com/mvgijssel/setup/issues/451 also noticed it feels pretty uncomfortable to use a full-access API token. I'm thinking on doing a POC to use add oauth to this library, would you be open to a PR?

wesselt commented 10 months ago

@mvgijssel You're right, an oauth token would be much better. I've thought about how to integrate oauth in a command line tool. Certainly open to a PR!

mvgijssel commented 10 months ago

I've created a first working version! The returned token from the script can be used as the api_token in config.json.