How to store an authorization token?

_rob · May 11, 2018, 11:20am

For communication with the Remember The Milk API I need to store a (somewhat) persistent authorization token (the token is currently hard coded in my script, but I want to improve on that). I’m thinking of using FileManager to store the token (probably in iCloud if that means I have to authorize only once and can then use the token on all my iOS devices), but I’m not sure this is secure enough. Would using Credentials be safer? And how would one do that?

How do you store authorization tokens in your scripts?

RosemaryOrchard · May 11, 2018, 11:46am

You should use the Credentials option documented - it will make the key available to the scripts that need it, and is designed for this purpose

_rob · May 11, 2018, 9:02pm

How can I store the token? I see getValue, but no corresponding setValue.

Also, how does createWithUsernamePassword(identifier, description) work? I don’t see how to add the username and password. Is this signature correctly documented? Or is this a copy/paste mistake and are some parameters missing?

RosemaryOrchard · May 11, 2018, 9:08pm

I’m 99% sure it’s saved when you call the authorize function

sylumer · May 11, 2018, 9:39pm

The function your referencing sets up the storage space for the credential. You then assign the credential elements to it. Here are the first few lines from the example on the page Rosemary referenced that show just that.

var credential = Credential.create("My Service", "Description of the service to appear in user prompt.");

credential.addTextField("username", "Username");
credential.addPasswordField("password", "Password");

It would depend upon how a particular API works but upon calling authorize() some sort of authentication token must get captured by the credentials object must get captured. What I’m not clear on is if that is then implicitly bound to the credential until the API foces a refresh or if it is regenerated on each run using the username & password provided.

To me credentials just looks like a secured storage area; I’ve not done much with it yet. I would imagine that if you are using a secure key or token for a service then you would use addTextField() to capture it with an appropriate key name and include that in the header element / URL parameter for any API requests that require it.

_rob · May 11, 2018, 10:01pm

How would Drafts be able to that without knowing the specifics of an API?

_rob · May 11, 2018, 10:05pm

I also see Credentials as some kind of secure storage, but based on the documentation I thought it was for username & password only (or other things that a user has to enter manually). I don’t understand how to store other (not user facing) data, like an authorization token.

Does anyone have a working example?

RosemaryOrchard · May 12, 2018, 5:23am

This is an example (not mine) which uses Credentials with an API key: Todoist V3

_rob · May 12, 2018, 6:15am

Thanks. I will try this.

In this example the user has to enter the token manually. I was hoping that I could store it from code, but now that I think of it I’m not even sure whether I can get the token in code from the API in the first place…

RosemaryOrchard · May 12, 2018, 6:26am

Probably not, I would suggest having the user enter their key.

_rob · May 12, 2018, 7:37am

Oh, there is an RTM API to get the token (rtm.auth.getToken) and the Pythonista script is using that…

(I hope I find some time for experimenting this weekend)

_rob · May 13, 2018, 8:18am

I’m afraid I still don’t understand the difference between these functions:

create
createWithUsernamePassword
createWithHostUsernamePassword

The Credentials documentation only gives an example for the first one.

Where can I find examples for the other two?

sylumer · May 13, 2018, 9:24am

When you use create() you have to specify the fields to prompt the user for explicitly. The other two functions simply save you time & effort and automatically add the username/password/host fields (according to which function use). Just try them out.

_rob · May 13, 2018, 9:36am

Ah, only the fields?

I guess I’m focusing too much on the values.

Seems like it is (currently?) just not possible what I want: storing a value in Credential from code, without user intervention.

Then I have to use FileManager for now.

agiletortoise · May 14, 2018, 2:28pm

That is correct, it is not possible to set credentials programmatically. I’m not crazy about adding that as an option, but I’ll think about it. It could easily encourage some bad practices hard coding values.

davenicholls · May 14, 2018, 4:07pm

Unless I am missing something, _rob is looking for a way to share credentials across devices so they don’t need to be set up multiple times.

A better solution to that issue would be the ability to sync credentials rather than allowing credentials to be set up programmatically.

Is syncing possible?

sylumer · May 14, 2018, 4:29pm

I may be wrong, but I thought that the API he is using issues a limited time token from an initial authentication call and then he needs to use that is subsequent interactions. Just programmatic use rather than cross device use.

davenicholls · May 14, 2018, 4:37pm

He does say that the token is ‘somewhat’ persistent, but looking at the RTM API documentation it looks like the token can be revoked, but isn’t time limited

_rob · May 14, 2018, 6:41pm

I want the token to be persistent between multiple runs of my script (on the same device; if I can reuse the token on other devices that is a bonus).

The RTM API documentation is a bit vague about the lifetime of these tokens:

auth_token’s can and do expire (for example, if the user revokes the permissions they granted to your application).

davenicholls · May 14, 2018, 7:03pm

Storing the token in Credentials will keep it for you.

I would also like Credentials to be sync’ed across devices