Reputation: 2790
Where to stock key used for token generation in email confirmation
I have this source code in ruby:
I am trying to build an approximately similar class. I have this endpoint:
@register_endpoint.route('/', methods=['POST'])
def process_signup_form():
form = InitializeAccountForm(request.form)
if form.validate_on_submit():
email = form.email.data
first_name = form.first_name.data
# TODO add exception if the email doesn't land
response = verify_email_account(first_name, email)
return render_template("auth/register.html", form=form)
else:
return render_template("auth/register.html", form=form)
That send an email with a link including a token generated using this class:
class SecureMessage:
def __init__(self):
self.key = nacl.utils.random(nacl.secret.SecretBox.KEY_SIZE)
def encrypt(self, message):
if message:
box = nacl.secret.SecretBox(self.key)
cypher_text = box.encrypt(bytes(message, "utf-8"))
encoded_cypher_text = base64.urlsafe_b64encode(cypher_text)
return encoded_cypher_text
else:
return None
def decrypt(self, token64):
if token64:
token = base64.urlsafe_b64decode(token64)
box = nacl.secret.SecretBox(self.key)
decrypted_token = box.decrypt(token)
return decrypted_token
else:
return None
And I have another endpoint that is suppose to decrypt the previously generated token:
@register_endpoint.route('/<string:token>', methods=['GET'])
def display_register_form(token):
error = None
decrypted_token = SecureMessage().decrypt(token)
form = RegisterAccountForm(decrypted_token)
return render_template("auth/register.html", form=form, error=error)
I don't really know where to store my secret key in my flask environnement, neither where the key is store in the ruby code.
Could you tell me what is the best and secure way to store my key?
EDIT:
I have the following flow:
- The user signup by filling: first_name, email on /register_account
- I encrypt using a symmetric key the JSON: {"first_name": first_name, "email": email} (it give me a URL_SAFE token
- I send to the user via email a link /register/
- When the user click on the email, we retrieve the token in the URL decrypt it using the same previous symmetric key and pre-fill the first name and email field, then the user can fill fields like password etc..
- We store the user
My question is how can I store the symmetric key used in my encryption/decryption process?
Upvotes: 0
Views: 115
Answers (1)
Reputation: 3474
I would suggest to add two fields to your user table,
verfiedverified_token
Save your generated token to verified_token. And when user verifies email address, set verified to true.
Upvotes: 1
Related Questions
- Where do I get SECRET_KEY for Flask?
- Email verification with flask-mail
- What is the workflow for a secure 'verify by email' system?
- Where should I place the secret key in Flask?
- Where does flask store token for password recovery?
- How are Flask-Security tokens created?
- Token based authentication in Flask
- Configure Email Token with Flask Factory Application create_app
- Invalid Confirmation Token when trying to confirm user email manually with Flask-Security
- Token remember me for flask-login saved in the database?