I'm building an app for which I need to store my users' login credentials for a 3rd party service. Communication with the 3rd party service is done via https GET requests.
From what I've seen, looking at posts like this one, there's no clear answer as to the best practices for doing this, and the specific methods discussed in that post at least all leave something to be desired.
So one thought I had was that perhaps it'd be possible to get around the problem by "pre-encrypting" the query string for the 3rd party request and storing that encrypted data in my db in lieu of storing the users' credentials directly. This way I can store the credentials in an encrypted form but not worry about the key being compromised, as it's held by the 3rd party, not me. And if my db were compromised the intruder wouldn't get anything more than he could obtain by packet sniffing.
I can't seem to find any examples of anyone doing something like this, so I'd like feedback on whether the community thinks it's a reasonable approach. Beyond that, a little help on how exactly to do it would be great. I'm building my app in node.js/express, and currently I'm just using the https module to handle communication with the 3rd party, but clearly I'd have to go at it at a lower level in order to take this approach.
The basic process would be:
- Do the same thing as https.request in order to establish an ssl/tls connection to the 3rd party and encrypt the query string containing the user's credentials
- Stop short of actually sending the encrypted data to the 3rd party and instead store it in my db
- At a later time, "reconstruct" the https connection with the stored data and send it to the 3rd party, process response, win
