I’m implementing a Magento Extension which connects to a third-party API. I’m brand-new to Magento, but familiar with MVC systems in general.
My question is simply, "Where (and how?) should I store the credentials used to access this third-party API? I could create a database table and store them there, but it feels like overkill. I’ve seen people mention using the Magento cache as a key/value store, but it sounds too fragile. I’ve noticed that Magento seems to have some sort of config object (not really dug into it yet), maybe that’s my best option?
Which of these (if any) is ‘correct’? Which will cause me the fewest headaches in the long run?
it goes without saying that i will need to salt/hash these credentials, but i guess the same question applies to ‘where should i store the salt’?
The typical Magento practice for something like this would be to store them in the database. You can define the database fields and user interface to maintain these credentials through the code in your extension.
A perfect example of this in the core codebase would be the shipping carrier modules. Take a look at app/code/core/Mage/Usa/etc/config.xml:
...
<fedex>
<account backend_model="adminhtml/system_config_backend_encrypted"/>
<meter_number backend_model="adminhtml/system_config_backend_encrypted"/>
<key backend_model="adminhtml/system_config_backend_encrypted"/>
<password backend_model="adminhtml/system_config_backend_encrypted"/>
...
</fedex>
...
By storing the credentials this way, these fields will be available in the administrative section of Magento where a business user can enter or update the credentials and they will be stored as encrypted values in the database. You can access them in your code using Mage::getStoreConfig('carriers/fedex/account'). Hopefully this gets you pointed in the right direction.