How to keep OAuth settings a secret?

Question

After creating my Twitter application, the following warning was displayed:

OAuth settings

Your application's OAuth settings. Keep the "Consumer secret" a secret. This key should never be human-readable in your application.

How do I keep my "Consumer Secret" a secret?

Twitter_test.php (source: Jimbo)

// Set access tokens here
$settings = array(
    'oauth_access_token' => "My Oauth Access Token",
    'oauth_access_token_secret' => "My Oauth Access Token Secret",
    'consumer_key' => "My Consumer Key",
    'consumer_secret' => "My Consumer Secret"   
    );


$url = 'https://api.twitter.com/1.1/followers/ids.json';
$getfield = '?username=somename';
$requestMethod = 'GET';
$twitter = new TwitterAPIExchange($settings);
echo $twitter->setGetfield($getfield)
             ->buildOauth($url, $requestMethod)
             ->performRequest();

?>

TwitterAPIExchange (source: twitter-api-php)

score 3 · Answer 1 · answered May 07 '13 at 10:21

3

You can save Consumer secret in database in serialize format and than unserialize while fetching and than use it.

answered May 07 '13 at 10:21

Viral Solani

840
1
9
31

+1 thank you for your reply. Are there any good tutorials on how to do this using Codeigniter? – Anthony May 07 '13 at 10:32
1

I've done this thing in Zend-framework. you just need to save that in database thats it.. – Viral Solani May 07 '13 at 10:38

score 3 · Accepted Answer · answered May 07 '13 at 13:02

I'd create a library integrated with the Twitter Api, and store the data in a config file in application/config/ as mentioned in given link.

To please Twitter, simply parse:

$this->load->library('encrypt');

echo $this->encrypt->encode('your given secret here');

Take the output, store it inside the config file, and when you're fetching it:

$this->load->library('encrypt');

$str_secret = $this->encrypt->decode($config['secret']);

Encryption
-Don't forget to set a key as described in this link.

Note that they demand you to do that for maximum security, in case someone would get control over your ftp or similiar. However if it can be decoded, it can be read. This isn't the ultimate solution, but simply a bit more reliable one.

+1 Thank you Robin. I'm currently using your answer and links to help me with this project. Thanks. — Anthony, May 07 '13 at 18:34

score 1 · Answer 3 · answered May 07 '13 at 10:18

1

consumer_secret is a secret key given by twitter when you sign up for the apis. You can keep it safe by putting twitter code in your library or any as such folder and make sure that folder is not directly accessible using browser url.

For example if you put twitter config.php in lib folder then it should not be accessible like this

www.somedomain.com/lib/config.php

answered May 07 '13 at 10:18

chandresh_cool

11,753
3
30
45

1

+1 Thanks for your reply. I really like this method because it sounds fairly easy. This sounds easier than saving it in the database in serialize format. However, I'm wondering if this is secure because anyone who has access to the library can view these keys. For example, I'm making a simple app so I can use it in my portofolio when applying for jobs as a web dev. In this case, the prospective employer could see these keys. What are your thoughts on this. – Anthony May 07 '13 at 10:59
1

First of all you cannot restrict this if your web developer are not trustworthy. Even then if ou feel it is not safe then you create a file with sudo rights which means only sudo user can see and modify it – chandresh_cool May 07 '13 at 11:20

How to keep OAuth settings a secret?

3 Answers3