Closed ModProg closed 3 years ago
Maybe we could also encrypt with a simple password, if stored on disk
Like ssh-key
Keyring would be nice for security, but wouldn't that force the user to always enter their password when they want to use this tool? Would be pretty annoying for automating things.
Maybe we could also encrypt with a simple password, if stored on disk
I don't think this is a good idea. There is no real way to do this securely and the gain is minimal. Also, for an attacker to steal this, they would already need access to the device of the user, in which case they could just read the token from memory after it's decrypted.
True, just wasn't sure if the token should lay around on disk. You are correct about that a keyring is either anoying or unsecure (if you unlock it permanently)
True, just wasn't sure if the token should lay around on disk.
Depending on the scenario it shouldn't. If we are talking about personal usage (meaning a person using it on his PC), this is probably the way to go. For automation scenarios (e.g.: docker deployments) the token should be passed via env var.
We can decide to either support both (env var overwrites config) or decide on one of them. Env var would work for both scenarios, but can't be updated automatically as easily as with a config.
Both are supported, in my current config implementation
Closing this since I think we all agree we don't really want / need this.
This could be useful https://github.com/hwchen/keyring-rs