A place for Plugin's sensitive data?

I would like to implement OAuth login for Imgur plugin. And it will need to store tokens somewhere. Plugin settings is obviously not an option, because it stores data in plain text inside of a vault. In Discord chat I was suggested to try LocalStorage, but with a caution that it won’t probably work in mobile version. While Imgur plugin does not target mobile platform, what is the most preferable place to store sensitive data? And if there is no such a place, it’s probably worth thinking about creating such an API for plugins.

Quoting snyk.io:

local storage should never be used for sensitive information such as passwords or personal information

PS One other thing which prevents me from implementing OAuth login is that I can not receive all the data coming to Obsidian protocol handler as part of a callback URL, see the detailed description here


Did you ever find a good workaround?

Nope, I did not try to find anything (now I am stuck with OAuth authentication implementation, I do not even have secrets to store yet). But as soon as I will be able to proceed I would stick with localstorage until there is no better API for secrets. I think for me localstorage is a good fit (Imgur authentication can be shared between multiple vaults, and I do not worry about mobile support since I am not targeting it)

A couple of thoughts I had recently on this topic:

  • I do not think localstorage is a good fit for sensitive data, because it gets shared between any other plugin, and some evil plugin could dump Object.entries(localStorage) and steal your secrets (if they will be stored there).

  • On the other hand I like that localstorage data is available between Vaults. For my Imgur plugin it means that once authenticated in one Vault, you do not need to repeat this step for any other Vault.

Summarizing: localStorage is not an option for really sensitive data. I would like to have some interface for Obsidian which would isolate secret data of different plugins from each other, allowing to share such data for the same plugin between vaults on a single system.

1 Like

Hi there, I’m wondering if anyone found a save place to store sensitive information? I do not have requirements of sharing these across other vaults). However, mobile support is required, the user simply has to enter these information for each vault / device again. Otherwise, I’m tempted to manage the encryption my self but it would be overhead, for a common problem I suppose

Can you store the token somewhere online? There are plenty of free services where you can bring up a simple server of a few lines written in Python or Go which will return that token on demand. After authentication of course. Let’s Encrypt will provide a secure connection.
That way you won’t care about which platform you are using.
I know it is a bit complicated but can’t think about anything else.