[R-pkg-devel] Keeping secrets in R packages

Neal Fultz nfultz at gmail.com
Sun Jun 7 18:26:58 CEST 2015


Thanks everyone for the replies.

Here's a brief overview of my current plan for what to do with the parts
of  the three way handshake :

1. Client id / secret can/should go in the package, unlike passwords
2. Authorization code is used immediately and discarded
3. Token is cached out to a dotfile, and reread into a package variable in
.onAttach

With a little extra code to deal with expired tokens, I should be able get
our daily cron jobs back up.



On Sun, Jun 7, 2015 at 9:10 AM, Greg Snow <538280 at gmail.com> wrote:

> If you just want to protect the secret from casual view (but don't
> need strong encryption), then you could just use a basic
> encryption/decryption algorithm, include the encrypted secret in the
> package and have the function decrypt it before sending.  See the
> "petals" function in the TeachingDemos package for one simple example
> of doing this.  This would not be strong encryption, an intermediate
> level R programmer would be able to print the secret in plain text,
> but it does protect from accidental or casual viewing (anyone seeing
> it would have to have deliberately set out to do so and would not be
> able to claim that they just accidentally saw it).  This is fairly
> quick, easy, and self contained in the package.
>
> On Fri, Jun 5, 2015 at 4:19 PM, Neal Fultz <nfultz at gmail.com> wrote:
> > I am working on updating the RGoogleDocs package to use OAuth2, since the
> > old api was recently turned off (at my job we use it as a poor mans
> > database).
> >
> > As part of the auth process, I need to send google a client key and
> secret
> > in order to gain access to a spreadsheet. Is there a 'safe' place to
> store
> > the secret?
> > I would strongly prefer not requiring my end users to have to sign up for
> > their own google API keys, but I also do not want to store the secret in
> > the clear.
> >
> > Any suggestions on best practices?
> >
> > -Neal Fultz
> >
> >         [[alternative HTML version deleted]]
> >
> > ______________________________________________
> > R-package-devel at r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-package-devel
>
>
>
> --
> Gregory (Greg) L. Snow Ph.D.
> 538280 at gmail.com
>

	[[alternative HTML version deleted]]



More information about the R-package-devel mailing list