CLI should warn users about their keys in flow.json for mainnet accounts

[sideninja]

We should have the CLI check all the accounts in flow.json and determine if an account is a mainnet account and if it contains the secret key, we should then warn the user in all the commands they are executing (similar to how the outdated version warning looks like) that they should follow the security recommendation for mainnet accounts which would link to a document explaining all the secure alternatives they can take.

[bluesign]

Also maybe we can add support to OS keyrings with https://github.com/99designs/keyring or https://github.com/zalando/go-keyring.

[ianthpun]

hey @sideninja I have a couple of questions:

and determine if an account is a mainnet account and if it contains the secret key

do you mean that it is stored in a format such as:

    "accounts": {
        "emulator-account": {
            "address": "f8d6e0586b0a20c7",
            "key": "6d12eebfef9866c9b6fa92b97c6e705c26a1785b1e7944da701fc545a51d4673"
        }
    }

But instead of the default emulator account, they opted to create one that looks more like

    "accounts": {
        "mainnet-account": {
            "address": "d8ae19483bd4236c",
            "key": "SOME_KEY"
        }
    }

Also, I don't believe there is a way for us to tell if the flow account/address on flow.json is mainnet or not without querying the node AFAIK, which would add network latency friction.

[chasefleming]

@ianthpun Yeah that first example would be a flow.json containing a key. You can use environment variables like $SOME_KEY but you can also use the key/location format. See here: https://developers.flow.com/tools/flow-cli/flow.json/security

[chasefleming]

Also, you're correct it's difficult to determine which account is for what network from the format but I believe there is an algorithm that can determine which address is for what network. @bluesign you have that right? Can you share it and how reliable is it?