Open Mic92 opened 3 years ago
poljar
commented
3 years ago The problem with this is that we don't really have a secure place where to store the access token, /secure isn't programmatically available to us.
Users of course can store stuff in /secure manually and that's where passwords end up being.
Mic92
commented
3 years ago But are passwords are not stored in plain text as well? Just storing an access token seems safer as it can be revoked.
poljar
commented
3 years ago They are not stored in plaintext, well not quite correct, you have the choice to store them in plaintext or you can store them encrypted using /secure. Take a look at the docs over here: https://weechat.org/files/doc/stable/weechat_user.en.html#secured_data
poljar
commented
3 years ago Things that we should consider for the Rust rewrite, if we're using SSO:
Mic92
commented
3 years ago What if the access token is provided by the user. There could be a script written that does the SSO once and prints the access token. This also has the advantage that it can be executed on a machine different from where weechat is running.
I saw that I with had to perform single-sign-on on every restart of weechat. Since the device id is already persisted I guess the same could be done for the access token?
https://github.com/poljar/weechat-matrix/blob/79805d02c4fae473dac41e377b9c97c74e4cff92/matrix/server.py#L1345
This would also allow to store an access token instead of a password, which would make revocation easier.