How/where to save oauth token? (nodejs)

The application would basically be a chat bot (similar to deepbot, runs on client’s machine not server).
The application has a default twitch account as a chat bot.

If I were to create a desktop application that requires the user to authorize my app with their own “custom chat bot” account, how would I save the oauth key or access token securely?

I would like it so once the first-time authorization is complete, the token is remembered somewhere so the user does not have to authorize every time the desktop application is restarted.

EDIT: If I use electron, would I just store it into a session cookie and persist it? Is there any other methods to securely save oauth keys so users do not have to authorize every time (which I believe creates a new oauth key every time)?

A local database would be preferred.
I imagine you offer some kind of settings for your bot, how do you store those?

Wherever you store it, make sure it is secure and encrypted. OAuth tokens are considered passwords, so they should be stored securely.

Well, I was thinking that even if I encrypt the password and store it into the database such as using crypto, this only prevents

  1. plain text view
  2. that’s it

I can go on to set a password for the database or encrypt the database as well
Anyone who gets hold of the database file can still easily decrypt the database and the passwords.
However, I guess if an abuser really wanted to get hold of the auth token, they would probably get it?

Also, I am speaking in terms of JavaScript and I have found that there is no easy way to protect the source code. In a scenario where I were to distribute my application to many users, and an attacker wanted to get all the auth tokens of these users, they would simply have to look at my source code and how to decrypt everything. Then, create a malicious program to decrypt a user’s information. Of course, the attacker would have to find a way to get this malicious program onto the user’s system. So perhaps the issue lies within JavaScript itself? Sorry, perhaps this is way too crazy. I am just preparing for the worst-case scenario LOL

EDIT: I mean electron, not JavaScript. Since I am reading that nw.js does protect js source code.

I would highly recommend you research security and storage of public/private keys for encryption. Design of your security system is outside the scope of this forum. :slight_smile: I just wanted to provide a reminder that you are responsible for anything that happens with a user’s OAuth tokens, passwords, etc. See the Keys section of the Developer Agreement.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.