Passwords are kept unencrypted

amtrack / force-dev-tool

[DEPRECATED] Command line tool supporting the Force.com development lifecycle

MIT License

108 stars 37 forks source link

Passwords are kept unencrypted #85

Closed vkolotov closed 6 years ago

vkolotov commented 7 years ago

Passwords for salesforce are kept unencrypted in a plain json file (config/.orgs.json). Easy to steal.

amtrack commented 7 years ago

@vkolotov i'm aware of that. What alternatives do you have in mind?

vkolotov commented 7 years ago

Hi @amtrack,

Two options in mind:

OAuth2 authentication through browser (like forcecli does). Looks like it keeps access and refresh tokens somewhere, and then use refresh token to refresh access token.
An extra argument to all commands so that CI server can provide it.

Thanks, Vlad

amtrack commented 7 years ago

Hi @vkolotov, that sounds good to me!

I would love to implement this, but unfortunately it is not on my list of next things to work on. Do you feel comfortable implementing this?
I guess this is already possible. Please see the Using force-dev-tool in a build script section in the README. Does that work for you?

vkolotov commented 7 years ago

@amtrack Ah I see now, it was not clear for me. So do I need to set those three variables so that force-dev-tool would pick them up?

BTW, what I did to keep it safe is another option:

#!/bin/bash

force-dev-tool remote add ${SFDC_USERNAME} ${SFDC_USERNAME} ${SFDC_PASSWORD} -u ${SFDC_SERVER_URL} --default

/bin/bash scripts/pull-from-sf-push-to-git.sh

force-dev-tool remote remove ${SFDC_USERNAME}

amtrack commented 6 years ago

I'm not planning to implement this as people already have moved or will move to using sfdx instead.