oauth-encryption

Documentation of Meteor's oauth-encryption package.

Encrypts sensitive login secrets stored in the database such as alogin service’s application secret key and users’ access tokens.

Generating a Key

The encryption key is 16 bytes, encoded in Base64.

To generate a key:

  1. $ meteor node -e 'console.log(require("crypto").randomBytes(16).toString("base64"))'

Using oauth-encryption with accounts

On the server only, use the oauthSecretKey option to Accounts.config:

  1. Accounts.config({ oauthSecretKey: 'onsqJ+1e4iGFlV0nhZYobg==' });

This call to Accounts.config should be made at load time (place atthe top level of your source file), not called from inside of aMeteor.startup block.

To avoid storing the secret key in your application’s source code, youcan use Meteor.settings:

  1. Accounts.config({ oauthSecretKey: Meteor.settings.oauthSecretKey });

Migrating unencrypted user tokens

This example for Twitter shows how existing unencrypted user tokenscan be encrypted. The query finds user documents which have a Twitteraccess token but not the algorithm field which is created when thetoken is encrypted. The relevant fields in the service data are thenencrypted.

  1. const cursor = Meteor.users.find({
  2. $and: [
  3. { 'services.twitter.accessToken': { $exists: true } },
  4. { 'services.twitter.accessToken.algorithm': { $exists: false } }
  5. ]
  6. });
  7. cursor.forEach((userDoc) => {
  8. const set = {};
  9. ['accessToken', 'accessTokenSecret', 'refreshToken'].forEach((field) => {
  10. const plaintext = userDoc.services.twitter[field];
  11. if (!_.isString(plaintext)) {
  12. return;
  13. }
  14. set[`services.twitter.${field}`] = OAuthEncryption.seal(
  15. plaintext,
  16. userDoc._id
  17. );
  18. });
  19. Meteor.users.update(userDoc._id, { $set: set });
  20. });

Using oauth-encryption without accounts

If you’re using the oauth packages directly instead of through theMeteor accounts packages, you can load the OAuth encryption keydirectly using OAuthEncryption.loadKey:

  1. OAuthEncryption.loadKey('onsqJ+1e4iGFlV0nhZYobg==');

If you call retrieveCredential (such asTwitter.retrieveCredential) as part of your process, you’ll findwhen using oauth-encryption that the sensitive service data fieldswill be encrypted.

You can decrypt them using OAuth.openSecrets:

  1. const credentials = Twitter.retrieveCredential(token);
  2. const serviceData = OAuth.openSecrets(credentials.serviceData);

Using oauth-encryption on Windows

This package depends on npm-node-aes-gcm, which requires you to have OpenSSL installed on your system to run. To install OpenSSL on Windows, use one of the binaries on this page. Don’t forget to install the Visual Studio 2008 redistributables if you don’t have them yet.