[R-pkg-devel] Keeping secrets in R packages
nfultz at gmail.com
Sun Jun 7 18:26:58 CEST 2015
Thanks everyone for the replies.
Here's a brief overview of my current plan for what to do with the parts
of the three way handshake :
1. Client id / secret can/should go in the package, unlike passwords
2. Authorization code is used immediately and discarded
3. Token is cached out to a dotfile, and reread into a package variable in
With a little extra code to deal with expired tokens, I should be able get
our daily cron jobs back up.
On Sun, Jun 7, 2015 at 9:10 AM, Greg Snow <538280 at gmail.com> wrote:
> If you just want to protect the secret from casual view (but don't
> need strong encryption), then you could just use a basic
> encryption/decryption algorithm, include the encrypted secret in the
> package and have the function decrypt it before sending. See the
> "petals" function in the TeachingDemos package for one simple example
> of doing this. This would not be strong encryption, an intermediate
> level R programmer would be able to print the secret in plain text,
> but it does protect from accidental or casual viewing (anyone seeing
> it would have to have deliberately set out to do so and would not be
> able to claim that they just accidentally saw it). This is fairly
> quick, easy, and self contained in the package.
> On Fri, Jun 5, 2015 at 4:19 PM, Neal Fultz <nfultz at gmail.com> wrote:
> > I am working on updating the RGoogleDocs package to use OAuth2, since the
> > old api was recently turned off (at my job we use it as a poor mans
> > database).
> > As part of the auth process, I need to send google a client key and
> > in order to gain access to a spreadsheet. Is there a 'safe' place to
> > the secret?
> > I would strongly prefer not requiring my end users to have to sign up for
> > their own google API keys, but I also do not want to store the secret in
> > the clear.
> > Any suggestions on best practices?
> > -Neal Fultz
> > [[alternative HTML version deleted]]
> > ______________________________________________
> > R-package-devel at r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-package-devel
> Gregory (Greg) L. Snow Ph.D.
> 538280 at gmail.com
[[alternative HTML version deleted]]
More information about the R-package-devel