Storing Passwords for Third Party Services

Question

My application is ruby-on-rails, but I expect any answers to this question will probably be framework agnostic.

My application sends emails via gmail SMTP using rails ActionMailers a-la:

mail = MyActionMailerSubclass.setup_email

options = { :address          => "smtp.gmail.com",
        :port                 => 587,
        :domain               => 'mydomain.com',
        :user_name            => 'myuser@mydomain.com',
        :password             => 's3cur3p@s$w0rd',
        :authentication       => 'plain',
        :enable_starttls_auto => true  }

mail.delivery_method :smtp, options
mail.deliver

Ok, that's great...there's my password for gmail in plain text in the application code. Or I could store it in the database in plain text. Obviously both are unacceptable.

Salting and hashing, the usual technique wont work here because I need to send the password along to gmail.

So, what strategies are there for securing a password for a third party service?

Ultimately that user name and password wont even belong to me, they will belong to the application end-user.

score 4 · Answer 1 · answered Nov 29 '10 at 03:05

Gmail's SMTP server supports two authentication mechanisms: PLAIN and XOAUTH. The PLAIN mechanism requires that you know the user's plaintext password, and I'm glad you aren't prepared to store those.

Take a look at the OAuth protocol as used by Gmail. I haven't ever used it and I just found out that Gmail supports it for SMTP, so I can't help any further, but I'd say that's precisely what you want. OAuth is a way for a service (such as Gmail) to allow third-party services (such as yours) to perform a limited set of actions on behalf of users without logging in with their password.

score 0 · Answer 2 · answered Nov 29 '10 at 03:01

0

If the application is private then this should be of no concern, but I'm guessing it's for a public / open-source application.

If that is the case, then add a basic example of that file as config/initializers/mail.rb.example and add the real thing to your .gitignore file so that it's never committed. After that, add instructions to the README that people will need to copy over the mail.rb.example file to mail.rb in order for the application to work as intended.

answered Nov 29 '10 at 03:01

Ryan Bigg

106,965
23
235
261

Thanks Ryan, that helps in the case where other coders are involved. My real concern is that the end user will be doing the emailing from their account. So I need a way for them to store their credentials. – SooDesuNe Nov 29 '10 at 03:06
That approach will help the OP hide his *own* password from open-source users. I think what he is concerned about is more that he'll have to store *his* users' passwords on his server in plaintext, and doesn't want the responsibility. – mgiuca Nov 29 '10 at 03:07

Storing Passwords for Third Party Services

2 Answers2