this post was submitted on 02 Aug 2023
9 points (100.0% liked)

Ask Experienced Devs

1232 readers
1 users here now

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
Ategon@programming.dev
9
How to store a password for a desktop client? (programming.dev)
submitted 1 year ago* (last edited 1 year ago) by TheCee@programming.dev to c/ask_experienced_devs@programming.dev
14 comments fedilink hide all child comments
 

Hi, by now it seems to be common knowledge that passwords shouldn't be stored in a database. Backend devs generally know to hash and salt and what-not their transmitted passwords. It seems to be well documented.

However, I wasn't exactly able to find such a clear answer for client applications accessing e.g. web APIs. For example, lets assume you were to create a Lemmy desktop application with support for multiple accounts. Ideally, that software would work like a password manager and store its master password as hash only.

However(2), sometimes users like to start said application without entering their password. Like an Email client in pleb mode. Which requires the passwords to be stored somewhere. In this case, what is the best course of action?

you are viewing a single comment's thread
view the rest of the comments
[–] canpolat@programming.dev 5 points 1 year ago

As far as I know, the correct way of handling authentication for a desktop applications is using OAuth and "Authentication Code with PKCE" flow. This way, you won't have to store the password at all.

But Lemmy doesn't support OAuth as of now. So, if you want users to be able to use the application without entering credentials, you will have two options:

  1. Store the password under current user
  2. Store the token you receive after the login (the token doesn't expire)

Lemmy may decide to expire tokens in the future (that's the correct thing to do, in my opinion).