Securing API secrets within plugins

---

I was just looking into creating a plugin for netatmo and was running into one problem.

To acces the netatmo api you need to create an “app” which then provides a “client id” and a “client secret”. These are then used for authentication. These should not be visible in the code of your application in a “human readable” format.

This definitely makes sense so that no malicious software will use your API key and your app/acces will be disabled.

Normally I would encrypt them in the code which would then be compiled to binary which should be sufficient enough to protect it reasonably (I know it still is not secure but it would take some work to extract it)

I know there is a way tho have native modules in node but as far as I know the source code would need to be provided in “clear text”.

Does anybody here have any ideas how I could securely store the “client secret” in the application?

Sure one option would be for now that anybody who wants to use it has to create his own app in the netatmo account but I don’t know how long netatmo will allow this.

In addition I think this is a problem for many APIs which we wan’t to build plugins for.

It also seems to be a “problem” that you can allways alter the node.js code so that you do some console.log of the parameters when the api call is done.

@thex A simple measure is to encrypt credentails as part of the configuration. As pimatic does not support this it requires some additional effort to differentiate between clear text and encrypted text if the user has to provide credentials initially as part of the config, e.g. a password. This can be solved for example by prefixing the encrypted text. The next problem is where to store the key used for encryption. Storing it as part of the code or in separate file means there is hardly no security at all, but obscurity. An attacker automatically scannering your config files for password won’t be successful but if the attacker gets hold of the rest it will be fairly easy to anaylze the code and decypher the encrypted credentials. Code obfuscation would help a little bit, but again it just obfuscation. The only measure against this I can see is to passphrase the key, but then the user needs to enter the passphrase at some point.

Yes had the same thoughts. So if we would provide a way to set the password for the users via the frontend we could save only the hash and secure this in the first place, furthermore we could use this same password then to encrypt other credentials.

Secretly I was hoping for something like the keychain on iOS or os x.

You are right that for sake of security we should also encrypt these but my main point was API keys which should not even be available/visible for users or other developers which take apart your plugin.

The only way I can currently think of is wrapping all requests to the api in a properitary binary module which needs to be precompiled for different platforms (if something like this is possible in nodejs)

While password store services like iOS keychain are not secure per se, they provide a good tool to manage multiple account credentails and to keep them in a (hopefully) safe place - better than cleartext on file for sure! I think we should discuss this futher and summarize it as a feature request.

Things to look at:

• buttercup password vault
• credential password hashing (see also chapter 6 of Programming Javascript Applications)
• passport.js authentication middleware for Node.js