I would like to implement OAuth login for Imgur plugin. And it will need to store tokens somewhere. Plugin settings is obviously not an option, because it stores data in plain text inside of a vault. In Discord chat I was suggested to try LocalStorage, but with a caution that it won’t probably work in mobile version. While Imgur plugin does not target mobile platform, what is the most preferable place to store sensitive data? And if there is no such a place, it’s probably worth thinking about creating such an API for plugins.
local storage should never be used for sensitive information such as passwords or personal information
PS One other thing which prevents me from implementing OAuth login is that I can not receive all the data coming to Obsidian protocol handler as part of a callback URL, see the detailed description here
Nope, I did not try to find anything (now I am stuck with OAuth authentication implementation, I do not even have secrets to store yet). But as soon as I will be able to proceed I would stick with localstorage until there is no better API for secrets. I think for me localstorage is a good fit (Imgur authentication can be shared between multiple vaults, and I do not worry about mobile support since I am not targeting it)
A couple of thoughts I had recently on this topic:
I do not think localstorage is a good fit for sensitive data, because it gets shared between any other plugin, and some evil plugin could dump Object.entries(localStorage) and steal your secrets (if they will be stored there).
On the other hand I like that localstorage data is available between Vaults. For my Imgur plugin it means that once authenticated in one Vault, you do not need to repeat this step for any other Vault.
Summarizing: localStorage is not an option for really sensitive data. I would like to have some interface for Obsidian which would isolate secret data of different plugins from each other, allowing to share such data for the same plugin between vaults on a single system.