Storing third party API tokens in a database

Question

Currently I have a Node JS project that uses the Spotify API. The project displays the users top played artists and tracks. I am following the Authorization Code Flow to obtain the access token. This access token will be used to query certain endpoints to obtain a JSON response of the data that will be used for my project. This token lasts an hour. I am currently storing this access token in a cookie and using this cookie to make new requests.

My question is is this acceptable from a security standpoints? This token does not have the ability to change any of the users profile settings or read sensitive data. However, if another person were able to obtain this token they could use this to see another user's data. Or would it be more secure to store this access token in a database an query the database for access tokens whenever need?

Answer 1

I developed a similar application that had to interact with the Spotify API, and the approach to store the API tokens will depend on your threat model. In my application we decided to maintain the token in a configuration file that will be present only on the server (therefore excluded from any source code repository).

In the scenario I described only specific application related users have access (read/write) to the directory where the configuration file is stored. In my threat model I accept the risk (that I considered Low) of a malicious adversary to access my server, escalate privileges to the specific application user, to steal my API credentials.

I hope this clarifies to you how we should think of such scenarios, and that if it's "safe" or not, depends solely on our threat model, and the risks we assume.

Storing an API key in a database could be safe if the proper security measures are configured for it (access control, encryption, archiving), however this is only speculation from my part since I do not have the technical reference of how the mentioned database was configured.