hi
i did not follow the topic recently.
do we have now a way to have secrets like apikeys in obs ?
regards
P
Any updates on this topic ?
i now know at least two apps with apikeys that might be rather part of some secret file on obs
Where was this topic discussed before?
Can you please provide a reference.
AFAIK there are no provisions for “secrets” in OBS or specifically the Sailfish-OBS (which uses an older OBS release).
Have you heard of any or why are you bringing up this topic here (while sounding as if it has been discussed elsewhere, but not referencing this discussion)?
More specifically: Have you researched that OBS or a OBS-plugin provides some kind of “secret handling”? If so, please provide the sources and results of your research, then one (technically interested people or sailors) can look into that.
Hi olf,
two years ago i wanted to bring sailkick into obs, but i did not want to checkin my apikey on github.
i did ask in forum in some other thread here, was told to contact somebody with a 3 letter nick, did that and never got a reponse.
then 1+ year ago i did ask this question here, again bo response.
now tidalplayer has same issue, hence did bump up my old question.
hope i did clarify all questions.
have a nice weekend !
P
Unfortunately you do not provide any reference (neither to “some other thread” or to the “somebody with a 3 letter nick”) again, hence it is impossible to properly assess how to proceed, because it is completely unclear which information and research was exchanged with whom so far.
Nevertheless, as you do not seem to have an idea how to resolve this technically (that was second question in my initial post), just as apparently everybody else too (including me), I suggest to look for other solutions. E.g. some software allows the users to enter API keys in the app’s settings.
lbt was the nick
…und aus
Just in general, if you mean stored api keys for third party services, it’s not a good idea to have them in a repo or on obs. Could you clarify what api keys?
I do, with @cypherpunks use some in a ‘obfuscated’ way, but it’s not a good idea™.
1 Like
apikey is a key that you need to provide with the request.
it allows you to use the service. it identifies the client
e.g. https://support.songkick.com/hc/en-us/articles/360012423194-Access-the-Songkick-API
1 Like
Ok, it’s a really bad idea to use personal dev. keys like that. I know it’s a pain in the ass for users, but, unless you have a commercial sponsor, add a setting for the api key so that users can go an get one to add. That’s how it works in puremaps, it’s how I modified Spritradar (among others) to work. It’s just the only way to keep from having a key abused (which could have legal consequences, which costs money, etc, etc).
1 Like
They do not give any new out. (songkick)
btw. I told them what i am going to do and they gave me the key after 3 months of waiting
no idea about tidal, but assume its the same
Ah, ok. That’s a different matter. Is songkick still running? I don’t know either songkick or tidal, really.
Yes, it is. But they do expect web apps or services. So to keep the key with you in the service.
i case of tidal, you can login in browser and then create an application and you will get an apikey, so this way would actually work
they did disable the api keys for songkick anyway last week.
they would rather charge 500+/month
doubt that i would start to sniff the traffic between browser and backend and rewrite it.
so this app is actually dead.
There’s no secrets handling in obs, in fact, let me show you how secrets are handled in upstream (opensuse obs)
line 1043
4 Likes
Thanks! I have seen this construct before, thought “this is awful, insecure and I would expect OBS to provide a better way”; now I know that this is the “official” method used by the OBS maintainer (Suse).
1 Like
Heh. Github throws tons of warning if you try that. On the other hand, you can get away with: harbour-multimodal/rpm/harbour-multimodal.spec at af28620290381626502ccf69e8a51dd8d23c4e25 · poetaster/harbour-multimodal · GitHub
2 Likes
I think it depends on api key, if it allows to do something with your infrastructure then that’s bad but if its just so that app can communicate with api and allow user login etc, then its not that bad i guess