How should I build my open source Go app using OAuth2 client ID and secret?

utkarshverma · April 7, 2020, 12:52am

Hello,
I’m new to Go here. I have written an app in go which interacts with the Gmail API using OAuth2.

What I’ve thought of for now, is to provide the source code for the app online on GitHub, without the OAuth2 client credentials, and have Travis CI provide the credentials to go as environment variables.

Do you think this is a secure enough way of hiding the client credentials? Or can the client credentials be found out through the built file also?

lutzhorn · April 7, 2020, 6:23am

The values of environment variables are not part of the binary.

But does the build really require credentials and do you trust Travis CI with them?

utkarshverma · April 7, 2020, 9:40am

How can they not be, I want the app to store them, so that the compiled binaries don’t have to look for the credentials from other places.

lutzhorn · April 7, 2020, 9:47am

Do you use environment variables at runtime? If yes, their values are not put into the binary at build time.

utkarshverma · April 7, 2020, 9:59am

I’m planning to use Travis to build binaries for people to use. So the key thing is, I somehow want to insert the credentials so that it is hidden within the app. Due to this, the app can access it at the runtime, but the users must be unable to peek into it.

lutzhorn · April 7, 2020, 12:22pm

A string that is used at build time will become part of the binary. Tools like strings will be able to extract them.

Consider this Go program:

package main

import "fmt"

func main() {
        fmt.Println("secret-password")
}

I’ve build it using go build and extracted the strings from it:

$ go build .
$ ./app
secret-password
$ strings app | head
MCLQZWlA3o2hbFtaevAl/mCPiVsU6RFF8Y1sWQe0t/npVX9FnBJxrkc4OovmZA/TWk7bR3ktTP0dXlp4ur_
D$ H
D$(H
D$0H
L$pH
T$0H
;cpu.u
D$XH
T$0H
T$0H9
$ strings app | grep password
        morebuf={pc:advertise errorasyncpreemptoffbad debugCallV1force gc (idle)key has expiredmalloc deadlockmisaligned maskmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnot a directoryrecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gsecret-passwordstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges:

And voilà, there it is: gsecret-passwordstartm.

Passwords inside a binary are not safe.

system · July 6, 2020, 12:22pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.