I'm building an application that provides different views of accounting data for whoever signs up. It connects to their Quickbooks accounts and pulls financial data from there. To do this it fetches and stores a Quickbooks Access Token and a Refresh Token. The Access Token can be used to fetch data, and the Refresh Token can be used to get a new Access Token.
Their developer forums say that the Refresh Token should be encrypted and stored in the database so the user only has to grant authorization once and the app can keep accessing Quickbooks data, refreshing access tokens automatically.
We're looking to have multiple users that can access the same Quickbooks company, so we'll store the token and say what users can access it through an invite system where the Admin User (the one who initially authorized the use of their Quickbooks data) can invite other users to access the data as well.
Our application is separated into a python backend and a react frontend. None of the tokens ever make their way to the frontend, when the authorization to Connect to Quickbooks occurs it is fully encapsulated in the backend and intuit's login servers. The tokens are then saved in the database, and used to hit Quickbooks' API for data if the user has access to that company.
With storing Access Tokens that offer full access to a company's financial data we're worried that a rogue employee could use it to pull all of our User's financial data and publish it. I'm not sure how to handle encryption to keep the data out of the eyes and use of developers while having it accessable by the application. The backend needs to be able to decrypt the Access Token to use it to grab Quickboos data. If it were user to user encryption then they'd have their own private keys, but since the users never see it and the app needs to decrypt it how do I keep it away from the "rogue employee"?
Any input is appreciated.
