Contrib.social

Provide safe storage of client's secrets for implementer modules

Open on Drupal.org →
Created on 16 May 2023, over 1 year ago

Problem/Motivation

I see Client Id and Client Secret are stored as plain (serialized data) text in the database. For example if you have phpMyAdmin just go to yoursite:8036/index.php?route=/sql&pos=0&db=db&table=config&display_blob=true to see them at rows [implementer_module].settings, eg: social_auth_microsoft.settings

If the database username & password were compromised, user passwords wouldn't (Drupal core hashes them) while all Social Auth IDs and Secrets of implementer modules would be compromised.

Proposed resolution

We could integrate with Key module maybe, that exists exaclty for this usecase, and optionally with Encrypt module .

Unfortunately I'm still a noob and can't help with developing this :(

Feature request
Status

Active

Version

4.0

Component

Code

Created by

🇮🇹Italy kopeboy Milan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kopeboy
  • Comment over 1 year ago
    🇮🇹Italy kopeboy Milan

    Probably this isn't a big deal with current implementers since I guess the social providers have other checks in place, but I'm not sure and I can imagine other providers and site builders mistakenly feel when something is called "secret" but is not encrypted.

  • Comment over 1 year ago
    🇺🇸United States wells Seattle, WA

    Yes, this would be ideal. We had 📌 Implementing Key for storing API Credentials Closed: duplicate planned for the 4.0.x work but unfortunately we didn't get to it in time. I'm not totally sure this would be breaking but I'm guessing it would...

    Regardless I'm happy to consider this for anyone who has some time to spend on it.

    This ticket has more details so I'm gonna close 📌 Implementing Key for storing API Credentials Closed: duplicate as a dup.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024