What's the best way to store a user password?

gwado

For the UT Nextcloud Music application, I'm looking to store the connection form data (url, user, password) to avoid having to retype them regularly.
I've managed to store this data in an sqlite database. Everything's working fine.
But I'm wondering about saving the password in clear text in a local database.
Is it secure?
Do I have to hash/salt it? Knowing that I have to do the reverse afterwards, which makes the method available to anyone?
Is it possible to use a system method? And if so, do you know a piece of QML code to store and retrieve this, please?

ikoz

@gwado You could encrypt it with username and salt it. You could use something like PGP for that. The best way would be to save it to a file with read only permissions and owned by root.
Does nextcloud support public-private key login? That would be ideal.

For QML, there is the settings component which saves the variables in a file, but the content isn't readable with a simple cat (IIRC).

There is a lot more information in this Unix stackexchange thread.

uxes

dont you just get some token for login and store it, refresh it? i mean nextcloud desktop app is not asking me for password every run, and that is about all the stuff with oauth

arubislander

@gwado There is a nextcloud plugin in the Online Accounts setting. Could you not integrate your app with that?

Here's some documentation to read up on about the Online Accounts[1]. It is still the old Canonical documentation, but I could not find the UBports mirror.

1. https://phone.docs.ubuntu.com/en/platform/guides/online-accounts-developer-guide

gwado

@arubislander the Nextcloud API does not allow you to retrieve Ampache/Subsonic identifiers from the Music application.

arubislander

@gwado Ah, Nextcloud music provides a Subsonic API. I was not aware.